Full Report
This campaign, active since the beginning of 2024, deploys a benign container through the Commando project, escaping it to run multiple payloads on the Docker host. Docker is used as an initial access vector to deliver payloads that register persistence, create backdoors, exfi...
Analysis Summary
# Threat Actor: Commando Cat
## Attribution & Identity
* **Identification:** Threat Actor associated with the "Commando Cat" campaign.
* **Known Aliases and Groups:** Exact origins unclear; observed overlaps (shell scripts, C2 IP addresses) suggest a potential connection or influence from cryptojacking groups like **TeamTNT**.
## Activity Summary
The campaign has been active since the beginning of 2024. It targets Docker environments, using compromised Docker instances as the initial access vector. Attackers deploy an initial benign container, escape the container (via `chroot`), and execute multiple secondary payloads on the Docker host. The ultimate goals involve establishing persistence, creating backdoors, stealing cloud service provider credentials, and launching cryptocurrency mining operations.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of vulnerable Docker instances.
* **Execution:** Container escape using the `chroot` command.
* **Persistence:**
* Registering persistence mechanisms.
* Creating a shell script backdoor.
* Creating a rogue local user named "games" with a known password.
* Modifying the `/etc/sudoers` file.
* **Defense Evasion:** Employing techniques to avoid touching the disk where possible, increasing forensic difficulty.
* **Discovery:** Checking for the presence of specific services (`sys-kernel-debugger`, `gsc`, `c3pool\_miner`, `dockercache`) before proceeding.
* **Credential Access:** Exfiltrating cloud service provider credentials.
* **Impact:** Cryptocurrency mining (Resource Hijacking).
* **Observed Techniques/Tools:** Credential theft, Container enumeration, IMDS abuse, Global socket communication, Creating new local users, Creating SSH backdoors (via SSH key addition). Tools observed include TinyShell and XMRig.
## Targeting
* **Sectors:** Primarily targeting environments running exploitable Docker instances (implied focus on cloud/containerized infrastructure).
* **Geography:** Not explicitly specified in the context provided.
* **Victims:** Organizations utilizing vulnerable Docker configurations.
## Tools & Infrastructure
* **Malware Families:** Commando Cat malware (multifunctional: credential stealer, backdoor, cryptominer), TinyShell, XMRig (Cryptocurrency Miner).
* **Infrastructure:** Unknown C2 IP address, shared with other cryptojacking groups.
## Implications
This campaign represents a significant threat to containerized environments, leveraging misconfigurations for deep system compromise. The actor immediately seeks to monetize the environment through cryptojacking while simultaneously setting up robust persistence and credential theft capabilities, turning the compromised host into a multi-purpose pivot point.
## Mitigations
* Harden Docker configurations to prevent container escapes (e.g., ensuring containers do not run with excessive privileges or necessary capabilities for `chroot` exploitation).
* Monitor for process execution indicative of container breakout commands (like `chroot`).
* Implement strict egress filtering to limit connections to known C2 infrastructure.
* Actively monitor for unauthorized user creation (e.g., user "games"), unauthorized SSH key additions, and modifications to sensitive files like `/etc/sudoers`.
* Monitor system for resource consumption associated with cryptocurrency mining (e.g., high CPU usage by XMRig or related processes).