Docker APIs across the internet are being targeted by a merciless new crytpojacking campaign

News
By published

Commando Cat campaign has been active since early 2024

Crypto mining
Kryptovaluuttojen louhinta on tehokkainta oikeilla komponenteilla. (Image credit: Shutterstock / Yevhen Vitte)

Cybersecurity researchers from Cado Security recently discovered an advanced new cryptojacking campaign that targets exposed Docker API endpoints over the internet

The campaign, called “Commando Cat”, has been active since early 2024, the researchers added, saying that this was the second such campaign to be discovered in just two months.

According to the report, the attackers would deliver an interdependent payload from their own server, leveraging Docker as an initial access vector. The first container, built using the Commando open-source tool, is seemingly benign, but allows the attackers to escape the container and run multiple payloads on the Docker host itself.

Copycats

The payloads delivered depend on the short-term goals of the campaign, and include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and launching cryptocurrency miners, the researchers explained. The cryptocurrency miner being deployed as part of this campaign is the infamous XMRig, a hugely popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that’s almost impossible to trace.

Commando cat uses a different folder to temporarily store stolen files, Cado Security’s researchers added, suggesting this was done as an evasion mechanism. Indeed, this makes forensic analysis more challenging, they said. 

At press time, the researchers don’t know who the threat actors behind Commando Cat are, but say they noticed overlaps in shell scripts and C2 IP addresses with another cryptojacking group called TeamTNT. Still, Cado doesn’t believe TeamTNT to be behind this particular campaign, and rather leans towards a copycat group. 

To defend against such attacks, users are advised to update their Docker instances and implement necessary security measures, the researchers concluded.

Earlier this month, the same cybersecurity team discovered a similar campaign, targeting vulnerable Docker hosts to deploy both XMRig and the 9Hits Viewer software. 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves. 

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
China
Chinese hackers develop effective new hacking technique to go after business networks
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
Poco F6 Pro in white from the back showing its Camera array and branding

For a mid-range handset, the Poco F6 Pro is premium in more ways than one, but I found it hard to ignore some of its key pitfalls
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models