Commando Cat: Stolen Data, Backdoors, and Cryptomining in One Attack

Open Docker API endpoints are being targeted in a sophisticated cryptojacking campaign known as “Commando Cat.” According to security researchers at Cado Security, “The operation uses a secure container created with the Commando project. Attackers have found a way to escape this container and execute arbitrary payloads on the Docker host.”

The campaign is believed to have been active since early 2024. This is already the second such campaign detected in recent months. In mid-January, experts discovered another cluster of attacks on vulnerable Docker hosts to deploy the XMRig cryptominer and 9Hits Viewer software.

In this operation, Docker is used as the initial access vector to deliver a set of interdependent malware from the attackers’ server. This server is responsible for maintaining persistence in the system, installing backdoors, exfiltrating cloud provider credentials, and directly launching the cryptominer.

Once access to vulnerable Docker instances is gained, attackers deploy a benign container using the open-source Commando tool and execute a malicious command that allows them to “break out” of the container using chroot.

The malware then checks for active services named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” on the compromised system. The next stage only begins if this check is successful, and involves downloading additional malware from the attackers’ command server.

Among the downloaded programs is the “user.sh” backdoor script, which can add SSH keys and create fake users with known passwords and superuser privileges. Other scripts delivered include “tshd.sh,” “gsc.sh,” and “aws.sh” for installing backdoors and exfiltrating credentials.

The attack concludes with the deployment of another payload: a Base64-encoded script that installs the XMRig cryptocurrency miner, after first removing any competing miners from the infected machine.

The exact origin of the threat is still unknown, although there are overlaps with scripts and command server IP addresses used by the cryptojacking group TeamTNT. It’s possible this is the work of an imitator group.

According to researchers, “This malware functions as a credential stealer, stealthy backdoor, and cryptominer all at once.” This makes it a versatile tool for maximizing the use of infected machines’ resources.