Docker instances targeted in major cryptojacking scam

Best Mining Laptop
(Image credit: aklionka / Shutterstock)

A new cryptojacking campaign has been spotted leveraging poorly-secured Docker remote API servers, experts have claimed.

Cybersecurity researchers from Trend Micro have detailed a campaign they dubbed “Commando Cat” because it uses the open-source container generation project, Commando, which has apparently been active since early 2024.

"The attackers used the docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure," Trend Micro researchers Sunil Bharti and Shubham Singh said in the blog post.

Generating cryptocurrency

In it, the attackers go for misconfigured Docker remote API servers, and drop a Docker image named This image creates a container instance which, by means of the chroot command, is able to gain access to the host operating system

Finally, the attacker uses a shell script to initiate either a curl or wget command from the C2 server, which retrieves the malicious binary. The researchers believe the binary to be ZiggyStarTux, an open-source IRC bot built on the Kaiten malware.

"The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems," the researchers said. "This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software."

The goal of the campaign is to generate cryptocurrency for the attackers. The malware being deployed is a cryptominer, a lightweight program that “mines” cryptocurrency, usually Monero (XMR). “Mining” is a colloquial term for complex operations that usually take up almost all of the machine’s computing power.

As a result, the computer slows down and is unable to perform the tasks it was set up to do. Furthermore, with mining being so compute-intensive, it can rake up quite the electricity bill. As a result, the victim ends up with a useless computer and an inflated electricity bill, while the attackers run away with newly generated cryptocurrency.

Luckily enough, a crypto miner is easy to spot, since the computer is basically rendered useless while the program operates.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.