The menace actor often called Commando Cat has been linked to an ongoing cryptojacking assault marketing campaign that leverages poorly secured Docker cases to deploy cryptocurrency miners for monetary achieve.
“The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure,” Pattern Micro researchers Sunil Bharti and Shubham Singh mentioned in a Thursday evaluation.
Commando Cat, so named for its use of the open-source Commando mission to generate a benign container, was first documented earlier this yr by Cado Safety.
The assaults are characterised by the concentrating on of misconfigured Docker distant API servers to deploy a Docker picture named cmd.cat/chattr, which is then used as a foundation to instantiate a container and escape of its confines utilizing the chroot command, and achieve entry to the host working system.
The ultimate step entails retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) via a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot primarily based on the Kaiten (aka Tsunami) malware.
“The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems,” the researchers mentioned. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”
The disclosure comes as Akamai revealed that years-old safety flaws in ThinkPHP purposes (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese language-speaking menace actor to ship an online shell dubbed Dama as a part of a marketing campaign that has been underway since October 17, 2023.
“The exploit attempts to retrieve additional obfuscated code from another compromised ThinkPHP server to gain initial foothold,” Akamai researchers Ron Mankivsky and Maxim Zavodchik mentioned. “After successfully exploiting the system, the attackers will install a Chinese language web shell named Dama to maintain persistent access to the server.”
The net shell is supplied with a number of superior capabilities to collect system knowledge, add recordsdata, scan community ports, escalate privileges, and navigate the file system, the latter of which allows menace actors to carry out operations like file modifying, deletion, and timestamp modification for obfuscation functions.
“The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control,” the researchers famous. “Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”
