Cado Security Labs Exposes Commando Cat Container Malware Campaign
Cado Security Labs today disclosed it discovered a malware campaign, dubbed “Commando Cat”, that targets Docker application programming interface (API) endpoints.
Commando Cat is a cryptojacking campaign that uses Docker APIs to mount a host filesystem to run a series of interdependent payloads directly on the host, starting with an instruction to pull down a Docker image called cmd.cat/chattr from a cmd.cat (Commando) project. These payloads register persistence, enable a backdoor, exfiltrate credentials files from cloud service providers, and then run a miner to generate cryptocurrency.
The report noted the attack also makes use of multiple techniques, including hiding processes, to evade detection.
Matt Muir, a threat intelligence researcher for Cado Security Labs, said the attack is designed to quickly escape a Docker container to commandeer underlying Linux resources. The attack is also noteworthy because while the techniques employ scripts that are not especially complex some of the techniques used to evade detection are novel, he added.
Specifically, the attack makes use of a method to hide processes that previously was demonstrated to work as a proof of concept. This is the first time Cado Security Labs has observed that technique being actively employed so it suggests that other attacks either already are or soon will be employing it to evade detection, noted Muir.
The fact that cybercriminals perpetrating this attack are stealing credential also suggests this vector will be employed to launch potentially more severe malware campaigns, added Muir.
Developers, of course, should not be downloading images from public repositories that are not vetted. However, it’s also not uncommon for container images residing in, for example, Docker Hub, to have been compromised so it’s critical for organizations to have some level of visibility into what container images are running in their environments, noted Muir.
This is the second Docker-related cybersecurity issue that Cado Security Labs has disclosed. Last month it revealed how another campaign is using the 9hits traffic exchange service to distribute malware using Docker containers.
In general, it’s apparent cybercriminals are becoming more adept at exploiting containers to compromise IT environments. The challenge is that containers are less secure than other types of software artifacts. Rather, the issue is that how they might be exploited requires monitoring tools specifically designed to identify breaches and vulnerabilities involving containers.
Of course, the average container only runs for a few minutes, so there is often an assumption that they don’t persist long enough to be exploited. However, cybercriminals are not monitoring container environments to identify when a vulnerable container will be run again. As such, the amount of time required to inject malware that can then laterally move through the IT environment is declining.
Each organization will need to determine to what degree to embrace DevSecOps workflows to better secure software supply chains that include containers. The challenge is that cybercriminals are also studying those same processes to identify additional tactics and techniques to compromise them.