Cado security researchers recently identified a sophisticated cryptojacking campaign that exploits exposed Docker API endpoints over the internet.
The campaign, called “Commando Cat”, has been operating since early 2024, the researchers noted, claiming that this was the second such effort to be identified in only two months. The first container, created with the Commando open-source tool, seems innocent, but it allows the criminals to escape and launch several payloads on the Docker host itself.
The payloads delivered are determined by the campaign's short-term targets, which include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and activating cryptocurrency miners, according to the researchers. This campaign's cryptocurrency miner is the famed XMRig, a popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that is nearly impossible to track.
Cado Security's researchers added that Commando cat temporarily stores stolen files in a separate folder, implying that this is done as an evasion tactic. Indeed, this complicates forensic analysis.
At press time, the researchers had no idea who the threat actors behind Commando Cat were, although they did detect resemblance in shell scripts and C2 IP addresses with another cryptojacking outfit dubbed TeamTNT. Cado, however, does not believe TeamTNT is behind this particular effort and instead suspects a copycat organisation.
The researchers advised that users should upgrade their Docker instances and install necessary security measures to safeguard themselves from such attacks.
Last month, the same cybersecurity team uncovered a similar campaign that used insecure Docker hosts to install both XMRig and the 9Hits Viewer software. 9hits is an online traffic exchange platform that allows users to drive traffic to each other.
When a user installs 9hits, their device visits the websites of other members using a headless Chrome instance. In exchange, the user earns credits, which may subsequently be used to attract traffic to their own websites. Installing 9hits on compromised Docker instances generates more credits, which the attackers can then use to buy more traffic.