This campaign, active since the beginning of 2024, deploys a benign container through the Commando project, escaping it to run multiple payloads on the Docker host. Docker is used as an initial access vector to deliver payloads that register persistence, create backdoors, exfiltrate cloud service provider credentials, and launch a cryptocurrency miner. The attacker gains a foothold by breaching vulnerable Docker instances, deploying a harmless container, and escaping it using the chroot command.
The campaign involves checks for specific services on compromised systems, such as sys-kernel-debugger, gsc, c3pool_miner, and dockercache, proceeding to the next stage only if these services are active. The purpose of checking for sys-kernel-debugger remains unclear. Further stages include dropping additional payloads from a command-and-control server, including a shell script backdoor capable of adding an SSH key, creating a rogue user named "games" with a known password, and modifying the /etc/sudoers file.
The attack employs techniques to avoid artifacts touching the disk, making forensics more challenging. The Commando Cat malware functions as a credential stealer, a stealthy backdoor, and a cryptocurrency miner, making it versatile for extracting maximum value from infected machines. While the exact origins of the threat actor are unclear, there are observed overlaps in shell scripts and the command-and-control IP address with cryptojacking groups like TeamTNT, suggesting a potential copycat group.