'Commando Cat' Is Second Campaign of the Year Targeting Docker
The threat actor behind the campaign is still unknown, but it shares some similarities with other cyptojacking groups.
In findings released by Cado researchers, they discovered a malware campaign, coined "Commando Cat," which is targeting exposed Docker API endpoints.
The cryptojacking campaign has only been active since the beginning of this year but it's the second one targeting Docker. The first one used the 9hits traffic exchange application, according to the researchers. However, these Docker attacks aren't necessarily rare, especially in cloud environments.
"This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives," the researchers said. "Commando Cat is a cryptojacking campaign leveraging Docker as an initial access vector and (ab)using the service to mount the host's filesystem, before running a series of interdependent payloads directly on the host."
It is unclear who the threat actor behind Commando Cat is or where they're from, though there is an overlap in scripts and IP addresses to other groups like Team TNT, indicating a potential connection or a copycat.
Because of the level of redundancy and the amount of evasion, the campaign is sophisticated in how it conceals itself. Acting as a credential stealer, backdoor, and cryptocurrency miner together as one, it makes for a highly stealthy and malicious threat.
About the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024