The menace actor referred to as Commando Cat has been linked to an ongoing cryptojacking assault marketing campaign that leverages poorly secured Docker cases to deploy cryptocurrency miners for monetary acquire.
“The attackers used the cmd.cat/chattr docker picture container that retrieves the payload from their very own command-and-control (C&C) infrastructure,” Pattern Micro researchers Sunil Bharti and Shubham Singh stated in a Thursday evaluation.
Commando Cat, so named for its use of the open-source Commando undertaking to generate a benign container, was first documented earlier this yr by Cado Safety.
The assaults are characterised by the concentrating on of misconfigured Docker distant API servers to deploy a Docker picture named cmd.cat/chattr, which is then used as a foundation to instantiate a container and get away of its confines utilizing the chroot command, and acquire entry to the host working system.
The ultimate step entails retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]web/z”) via a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot primarily based on the Kaiten (aka Tsunami) malware.
“The importance of this assault marketing campaign lies in its use of Docker photos to deploy cryptojacking scripts on compromised techniques,” the researchers stated. “This tactic permits attackers to take advantage of vulnerabilities in Docker configurations whereas evading detection by safety software program.”
The disclosure comes as Akamai revealed that years-old safety flaws in ThinkPHP functions (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese language-speaking menace actor to ship an online shell dubbed Dama as a part of a marketing campaign that has been underway since October 17, 2023.
“The exploit makes an attempt to retrieve further obfuscated code from one other compromised ThinkPHP server to realize preliminary foothold,” Akamai researchers Ron Mankivsky and Maxim Zavodchik stated. “After efficiently exploiting the system, the attackers will set up a Chinese language language internet shell named Dama to take care of persistent entry to the server.”
The online shell is supplied with a number of superior capabilities to assemble system knowledge, add recordsdata, scan community ports, escalate privileges, and navigate the file system, the latter of which allows menace actors to carry out operations like file modifying, deletion, and timestamp modification for obfuscation functions.
“The current assaults originated by a Chinese language-speaking adversary spotlight an ongoing pattern of attackers utilizing a totally fledged internet shell, designed for superior sufferer management,” the researchers famous. “Apparently, not all focused clients have been utilizing ThinkPHP, which means that the attackers could also be indiscriminately concentrating on a broad vary of techniques.”
