Docker instances targeted in major cryptojacking scam

Poorly-secured Docker remote API servers are being leveraged to drop cryptominers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new cryptojacking campaign has been spotted leveraging poorly-secured Docker remote API servers, experts have claimed.

Cybersecurity researchers from Trend Micro have detailed a campaign they dubbed “Commando Cat” because it uses the open-source container generation project, Commando, which has apparently been active since early 2024.

“The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure,” Trend Micro researchers Sunil Bharti and Shubham Singh said in theblog post.

Generating cryptocurrency

In it, the attackers go for misconfigured Docker remote API servers, and drop a Docker image named cmd.cat/chattr. This image creates a container instance which, by means of the chroot command, is able to gain access to the hostoperating system.

Finally, the attacker uses a shell script to initiate either a curl or wget command from the C2 server, which retrieves the malicious binary. The researchers believe the binary to be ZiggyStarTux, an open-source IRC bot built on the Kaiten malware.

“The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems,” the researchers said. “This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software.”

The goal of the campaign is to generate cryptocurrency for the attackers. Themalwarebeing deployed is a cryptominer, a lightweight program that “mines” cryptocurrency, usually Monero (XMR). “Mining” is a colloquial term for complex operations that usually take up almost all of the machine’s computing power.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As a result, the computer slows down and is unable to perform the tasks it was set up to do. Furthermore, with mining being so compute-intensive, it can rake up quite the electricity bill. As a result, the victim ends up with a useless computer and an inflated electricity bill, while the attackers run away with newly generated cryptocurrency.

Luckily enough, a crypto miner is easy to spot, since the computer is basically rendered useless while the program operates.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Scotland vs South Africa live stream: how to watch 2024 rugby union Autumn International online from anywhere