Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Docker APIs across the internet are being targeted by a merciless new crytpojacking campaign

Crypto mining.

Cybersecurity researchers from Cado Security recently discovered an advanced new cryptojacking campaign that targets exposed Docker API endpoints over the internet

The campaign, called “Commando Cat”, has been active since early 2024, the researchers added, saying that this was the second such campaign to be discovered in just two months.

According to the report, the attackers would deliver an interdependent payload from their own server, leveraging Docker as an initial access vector. The first container, built using the Commando open-source tool, is seemingly benign, but allows the attackers to escape the container and run multiple payloads on the Docker host itself.

Copycats

The payloads delivered depend on the short-term goals of the campaign, and include establishing persistence, backdooring the host, exfiltrating cloud service provider credentials, and launching cryptocurrency miners, the researchers explained. The cryptocurrency miner being deployed as part of this campaign is the infamous XMRig, a hugely popular cryptojacker that mines Monero (XMR), a privacy-oriented currency that’s almost impossible to trace.

Commando cat uses a different folder to temporarily store stolen files, Cado Security’s researchers added, suggesting this was done as an evasion mechanism. Indeed, this makes forensic analysis more challenging, they said. 

At press time, the researchers don’t know who the threat actors behind Commando Cat are, but say they noticed overlaps in shell scripts and C2 IP addresses with another cryptojacking group called TeamTNT. Still, Cado doesn’t believe TeamTNT to be behind this particular campaign, and rather leans towards a copycat group. 

To defend against such attacks, users are advised to update their Docker instances and implement necessary security measures, the researchers concluded.

Earlier this month, the same cybersecurity team discovered a similar campaign, targeting vulnerable Docker hosts to deploy both XMRig and the 9Hits Viewer software. 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves. 

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.