New Malware Exploits Docker APIs for Cryptocurrency Mining

Security researchers have uncovered a novel malware campaign targeting a critical vulnerability in Docker deployments. This malicious campaign exploits exposed Docker API endpoints to deploy cryptocurrency mining software on unsuspecting systems.

The malware, dubbed “Commando Cat” by security experts, leverages a multi-step process to gain unauthorized access and establish persistence on compromised systems. The attack sequence begins by identifying Docker servers with publicly accessible API ports, typically port 2375. Once a vulnerable target is located, the malware executes commands through the exposed API.

These commands often involve downloading and executing shell scripts that install additional malicious payloads. Notably, the campaign has been linked to the “cmd.cat/chattr” Docker image utilizes techniques like chroot and volume binding to break free of container restrictions and infect the underlying host system.

Security researchers have identified specific User-Agent strings and DropBear SSH on port 3022 as potential indicators of a “Commando Cat” infection. These markers can aid in early detection and mitigation efforts.

The “Commando Cat” campaign underscores the importance of robust container security practices. Organizations utilizing Docker containers are strongly advised to implement access controls that restrict API access to authorized personnel and networks. Additionally, keeping Docker software and container images updated with the latest security patches remains crucial in mitigating such threats.

The rise of “Commando Cat” highlights the evolving landscape of cyber threats. Attackers are increasingly exploiting vulnerabilities in containerization technologies to launch cryptocurrency mining operations. Organizations must remain vigilant and adopt a multi-layered security approach to safeguard their IT infrastructure from these evolving threats.