Commando Cat is a novel cryptojacking campaign that exploits exposed Docker API endpoints to gain initial access and run a chain of host-level payloads. It deploys backdoors, credential theft targeting AWS, GCP, and Azure, and a cryptocurrency miner, all while using evasion techniques such as process hiding and a Docker Registry blackhole. #CommandoCat #Docker #CommandoProject #TinyShell #gs-netcat #TeamTNT
Keypoints
- Commando Cat targets exposed Docker API endpoints to deliver its payloads over the Internet.
- It escapes the infected Docker container to mount the host filesystem and installs multiple host payloads (gsc, c3pool_miner, dockercache).
- The user.sh payload creates an SSH backdoor by adding keys and a new persistent user, enabling root or privileged access.
- Tshd.sh deploys TinyShell; gsc.sh deploys gs-netcat for NAT traversal and backdoor persistence via systemd.
- aws.sh exfiltrates cloud-provider credentials (AWS, GCP, Azure) and environment details; a base64 payload deploys a crypto miner and darkens docker activity.
- The campaign includes notable evasion techniques (process hiding with hid, /dev/shm usage, Docker registry blackhole) to impede detection and competition.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Targeting exposed Docker API endpoints. ‘targeting exposed Docker API endpoints.’
- [T1105] Ingress Tool Transfer – Downloads payloads from the C2, including Docker images and shell scripts. ‘pull down a Docker image called cmd.cat/chattr’ and ‘pull down the user.sh payload.’
- [T1059] Command and Scripting Interpreter – Payloads executed via shell scripts such as user.sh, tshd.sh, gsc.sh, aws.sh. ‘The payloads are delivered… by the IP 45[.]9.148.193’
- [T1543.003] Create or Modify System Process – Linux Service – Persistence via a malicious systemd service unit. ‘creates a malicious systemd service unit in order to achieve persistence.’
- [T1136] Create Account – Creates a backdoor user ‘games’ with sudo privileges. ‘The function creates a new user called “games” by adding an entry for it directly into /etc/passwd and /etc/shadow, as well giving it sudo permission in /etc/sudoers.’
- [T1564.001] Hide Artifacts – Hiding the tshd process using a hid script. ‘hid script discussed previously to hide the tshd process.’
- [T1070] Indicator Removal on Host – Wipes bash history to erase traces. ‘wipes the bash history.’
- [T1036] Masquerading – Appears as benign tooling to avoid suspicion. ‘generates Docker images on-demand… and simply point them by name in the docker run command.’
- [T1041] Exfiltration Over C2 – Exfiltrates collected data (credentials, environment info) to the attacker API. ‘The script then closes out by sending all of the collected data to the attacker.’
Indicators of Compromise
- [Hash] – IoCs (Hashes) – 5ea102a58899b4f446bb0a68cd132c1d, 73432d368fdb1f41805eba18ebc99940, and 3 more hashes
- [IP] – IPs observed in the campaign – 45.9.148.193, 103.127.43.208
- [Filename] – Scripts and payloads used by the campaign – user.sh, tshd.sh, gsc.sh, aws.sh, and a base64 payload