Trend Micro's threat intelligence team has uncovered a sophisticated attack campaign targeting exposed Docker remote API servers to deploy cryptocurrency miners. Named “Commando Cat,” this campaign has been active since the beginning of 2024 and employs a series of steps to infiltrate systems and leverage their resources for mining digital currencies.
The attack is initiated by deploying benign containers generated using the Commando project, an open-source GitHub initiative designed to create Docker images on-demand for developers. The attackers utilize cmd.cat, a service associated with Commando, to deploy a seemingly harmless Docker image (cmd.cat/chattr).
Upon deployment, the threat actors exploit the cmd.cat/chattr container to create a new Docker container. Using the chroot command, they manage to escape the container's environment and gain access to the host operating system. This allows the attackers to perform further actions on the compromised system, including downloading a malicious binary via curl or wget.
Once the binary is in place, the threat actors proceed to establish control and deploy cryptocurrency mining software. The presence of the malware can be identified through several indicators, such as specific User-Agent strings and the use of DropBear SSH on TCP port 3022 are key signs of this malicious activity.