Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API…

216.73.217.22

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

· Published 07/06/2024 07:48 · Modified 07/06/2024 08:07

Essential information

Published: 07/06/2024 07:48
Modified: 07/06/2024 08:07
Tags: 2024-06-07 cloud containers cryptocurrency cryptojacking docker malware ziggystartux
Related entities: 7 observables, 6 techniques (mitre), 1 malware

Description

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency miners and establish command and control infrastructure. The analysis provides indicators of compromise, recommended mitigations, and relevant MITRE ATT&CK techniques.

External references

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/f/commando-cat/ioc-commando-cat.txt
https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html
https://otx.alienvault.com/pulse/6662bb4eee92b98fca9c395a