Threat Research

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

TrendMicro

Researchers analyze a cryptojacking campaign that abuses exposed Docker remote API servers to deploy cryptocurrency miners using open-source Commando project images. The attackers leverage the cmd.cat/chattr image to gain initial access and then escape to the host via chroot and Docker socket binds, with indicators such as certain User-Agent strings and DropBear SSH on TCP port 3022. #CommandoCat #cmd.cat #DropBearSSH #ZiggyStarTux #DockerRemoteAPI

Keypoints

  • Attacks abuse exposed Docker Remote API servers to deploy miners using publicly available Commando project Docker images.
  • Initial access is achieved with the cmd.cat/chattr image, followed by container breakout using chroot and host-volume bindings to reach the host system.
  • Attack indicators include specific User-Agent strings and the use of DropBear SSH on TCP port 3022 to aid detection.
  • The attack sequence involves probing the API, deploying a container, escaping to the host, pulling images as needed, and executing a base64-encoded payload.
  • The payload mentions ZiggyStarTux (an IRC bot) and uses a C2 server at 45.9.148.193 (port 1219) with initial IRC communications.
  • Mitigation focuses on container/API hardening, trusted images, non-root execution, restricted access, regular security audits, and following Docker security best practices.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Probing the Docker Remote API server. Quote: ‘The sequence of events in this attack campaign begins with a ping to the Docker Remote API server, which serves as the pivotal starting point for the ensuing chain of actions.’
  • [T1610] Deploy Container – Creating a Docker container from the cmd.cat/chattr image. Quote: ‘Upon confirming the server’s status as “OK,” the attacker proceeds to instantiate a container using the cmd.cat/chattr image.’
  • [T1611] Escape to Host – Break out via chroot and binds to host. Quote: ‘the binding /:/hs mounts the host’s root directory into the container’s /hs directory, granting the attacker unrestricted access to the host file system. It also binds the Docker socket (/var/run/docker.sock:/var/run/docker.sock), giving the container direct access to the Docker daemon on the host.’
  • [T1105] Ingress Tool Transfer – Downloading the malicious image/payload when needed. Quote: ‘If the above request returns a “No such image” response, the attacker will pull the chattr docker image from the cmd.cat repository.’
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Base64-encoded payload execution. Quote: ‘With the image in place, the attacker proceeds to create a Docker container, effectively executing a replica of the previous step. While creating the docker container, the malicious actor executes a base64-encoded string:’
  • [T1132.001] Data Encoding – The payload uses a base64-encoded string leading to a shell script. Quote: ‘This translates to the following shell script:’

Indicators of Compromise

  • [IP Address] C2 server – 45.9.148.193:1219
  • [Domain] C2 payload/download host – leetdbs.anondns.net
  • [File Name] Payload marker – z (checked in /usr/sbin/z)
  • [HTTP User-Agent] Detection clues – HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64), Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)

Read more: https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html