Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Summary 总结

  • We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project.
    我们分析了一个加密劫持攻击活动,该活动利用暴露的 Docker 远程 API 服务器来部署加密货币矿工,使用来自开源 Commando 项目的 Docker 映像。
  • Malicious actors employ the image for initial access, employing techniques like chroot and volume binding to break out of the container and access the host system.
    恶意行为者使用 映像进行初始访问,采用 chroot 和卷绑定等技术来突破容器并访问主机系统。
  • Attack indicators can include specific User-Agent strings, plus the use of DropBear SSH on TCP port 3022, which can help in detecting the presence of the malware.
    攻击指示器可以包括特定的用户代理字符串,以及在 TCP 端口 3022 上使用 DropBear SSH,这有助于检测恶意软件的存在。
  • To mitigate such attacks, it is essential to adhere to container security best practices, such as properly configuring containers and APIs and using trusted Docker images.
    为了缓解此类攻击,必须遵守容器安全最佳实践,例如正确配置容器和 API,以及使用受信任的 Docker 映像。


We observed an attack campaign abusing exposed Docker remote API servers to deploy cryptocurrency miners. This attack campaign bears the name Commando Cat due to its initial step, which involves the deployment of benign containers generated using the publicly-available Commando project (an open-source GitHub project that creates Docker images on-demand for developers). Commando, which is publicly available, is deployed using The attackers used the docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure. This attack campaign has been active since the start of 2024.
我们观察到一个攻击活动,滥用暴露的 Docker 远程 API 服务器来部署加密货币矿工。该攻击活动因其初始步骤而命名为 Commando Cat,该步骤涉及部署使用公开可用的 Commando 项目(一个开源 GitHub 项目,为开发人员按需创建 Docker 映像)生成的良性容器。突击队是公开可用的,使用 进行部署。攻击者使用了 docker 映像容器,该容器从他们自己的命令和控制 (C&C) 基础结构中检索有效负载。自 2024 年初以来,此攻击活动一直很活跃。

Initial access 初始访问

To gain initial access, the attacker deploys a docker image named, a harmless docker image. Once deployed, the malicious actor creates a docker container based on this image and uses chroot to break out of the container and gain access to the host operating system. It also uses curl/wget to download the malicious binary into the host.
为了获得初始访问权限,攻击者部署了一个名为 的 docker 映像,这是一个无害的 docker 映像。部署后,恶意行为者会基于此映像创建一个 docker 容器,并使用 chroot 脱离容器并获取对主机操作系统的访问权限。它还使用 curl/wget 将恶意二进制文件下载到主机中。

Attack sequence 攻击序列

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 1. Commando Cat attack sequence 图 1.突击队猫攻击序列

Let’s break down how the attack unfolds step by step:

1. Probing the Docker Remote API server
1. 探测 Docker Remote API 服务器

The sequence of events in this attack campaign begins with a ping to the Docker Remote API server, which serves as the pivotal starting point for the ensuing chain of actions.
此攻击活动中的事件序列始于对 Docker 远程 API 服务器的 ping 操作,该服务器是后续操作链的关键起点。

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 2. Ping request to the Docker Remote API Server 图2.对 Docker 远程 API 服务器的 Ping 请求

2. Creating the container using the image:
2. 使用 映像创建容器:

Upon confirming the server’s status as “OK,” the attacker proceeds to instantiate a container using the image.
在确认服务器的状态为“正常”后,攻击者继续使用 映像实例化容器。

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 3. Container creation request to the Docker Remote API Server 图3.向 Docker 远程 API 服务器发出容器创建请求

In the container creation request, we see the malicious actor employing chroot and volume binding to escape the container. Using chroot, the attacker can peek outside the container and then enter the host system using the Binds parameter, which specifies volume bindings.
在容器创建请求中,我们看到恶意行为者使用 chroot 和卷绑定来转义容器。使用 chroot,攻击者可以窥视容器外部,然后使用 Binds 参数进入主机系统,该参数指定卷绑定。

The binding /:/hs mounts the host’s root directory into the container’s /hs directory, granting the attacker unrestricted access to the host file system. It also binds the Docker socket (/var/run/docker.sock:/var/run/docker.sock), giving the container direct access to the Docker daemon on the host, therefore allowing the attackers to control Docker as if they were on the host machine itself.
绑定 /:/hs 将主机的根目录挂载到容器的 /hs 目录中,从而授予攻击者对主机文件系统的无限制访问权限。它还绑定 Docker 套接字 (/var/run/docker.sock:/var/run/docker.sock),使容器能够直接访问主机上的 Docker 守护程序,从而允许攻击者控制 Docker,就像他们在主机本身上一样。

3. Image creation in absence
3. 缺席时的图像创作

If the above request returns a “No such image” response, the attacker will pull the chattr docker image from the repository.
如果上述请求返回“No such image”响应,攻击者将从 仓库中拉取 chattr docker 镜像。

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 4. Chattr Docker image pull request 图4.Chattr Docker 镜像拉取请求

4. Container deployment 4. 容器部署
With the image in place, the attacker proceeds to create a Docker container, effectively executing a replica of the previous step.
映像就位后,攻击者继续创建 Docker 容器,从而有效地执行上一步的副本。

While creating the docker container, the malicious actor executes a base64-encoded string:
在创建 docker 容器时,恶意参与者会执行 base64 编码的字符串:

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 5. Base64-encoded payload string 图5.Base64 编码的有效负载字符串

This translates to the following shell script:
这将转换为以下 shell 脚本:

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 6. Base64-decoded shell script 图6.Base64 解码的 shell 脚本

The script starts with a conditional check to determine if a file named “z” exists in the directory /usr/sbin/. If the file does not exist, the script proceeds to download and execute the malicious binary from its file server (hxxp[:]/leetdbs[.]anondns[.]net/z) and saves it to the directory /usr/sbin/, which is potentially ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. This binary is packed using the UPX packer.
该脚本以条件检查开始,以确定目录 /usr/sbin/ 中是否存在名为“z”的文件。如果文件不存在,则脚本将继续从其文件服务器 (hxxp[:]/leetdbs[.] 下载并执行恶意二进制文件。anondns[.]net/z) 并将其保存到 /usr/sbin/ 目录,该目录可能是 ZiggyStarTux,一个基于 Kaiten 恶意软件的开源 IRC 机器人。此二进制文件使用 UPX 打包器打包。

While doing the analysis, we found the C&C server to be down. However, the following User-Agent strings present in the binary can be used to monitor the presence of this malware in the network:
在进行分析时,我们发现 C&C 服务器已关闭。但是,二进制文件中存在的以下用户代理字符串可用于监视网络中是否存在此恶意软件:

  • User-Agent: HackZilla/1.67 [en] (X11; U; Linux 2.2.16-3 x64)
    用户代理:HackZilla/1.67 (X11;一;Linux 2.2.16-3 x64)
  • User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
    用户代理:Mozilla/4.75 (X11;一;Linux 2.2.16-3 i686)

The strings present in this binary/code suggest this malware is using DropBear SSH, a relatively small SSH server and client application on TCP port 3022. This could serve as another clue for spotting the malware.
此二进制文件/代码中存在的字符串表明该恶意软件正在使用 DropBear SSH,这是一个相对较小的 SSH 服务器和 TCP 端口 3022 上的客户端应用程序。这可以作为发现恶意软件的另一个线索。

The deployed malware tries to connect its C&C server 45[.]9[.]148[.]193 on port 1219. Figure 6 depicts the initial network traffic, which shows the initial IRC communication. 
部署的恶意软件试图连接其 C&C 服务器 45[.]9[.]148[.]端口 1219 上的 193。图 6 描述了初始网络流量,其中显示了初始 IRC 通信。

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

Figure 7. Initial IRC communication 图7.初始 IRC 通信

The significance of this attack campaign lies in its use of Docker images to deploy cryptojacking scripts on compromised systems. This tactic allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software. As cybersecurity researchers continue to monitor this malicious actor, it’s essential for organizations to strengthen their defenses against Docker-related attacks.
这次攻击活动的意义在于它使用 Docker 映像在受感染的系统上部署加密劫持脚本。这种策略允许攻击者利用 Docker 配置中的漏洞,同时逃避安全软件的检测。随着网络安全研究人员继续监控这种恶意行为者,组织必须加强对 Docker 相关攻击的防御。

Recommendations 建议

To protect development environments from attacks targeting containers and hosts, we recommend implementing the following best practices:

  • Containers and APIs should always be properly configured to minimize the chance of exploitative attacks. Docker has specific guidelines on how their users can strengthen their security.
    应始终正确配置容器和 API,以最大程度地减少利用性攻击的机会。Docker 对用户如何增强安全性有具体的指导方针。
  • Organizations should use only official or certified images to ensure that only trusted content is run within the environment.
  • Running containers should not be run with root privileges, but rather as application users instead.
    运行容器不应以 root 权限运行,而应以应用程序用户身份运行。
  • Containers should be configured so that access is granted only to trusted sources, such as the internal network.
  • Organizations should adhere to recommended best practices. For example, Docker provides a comprehensive list of best practices and has built-in security features users can follow to improve the security of their cloud environments.
    组织应遵守推荐的最佳实践。例如,Docker 提供了全面的最佳实践列表,并具有用户可以遵循的内置安全功能,以提高其云环境的安全性。
  • Security audits should be performed at regular intervals to check for any suspicious containers and images.

  • Conclusion 结论

The Commando Cat attack campaign highlights the threat posed by the abuse of exposed Docker remote API servers. By exploiting Docker configurations and leveraging open-source tools like, attackers can gain initial access and deploy malicious binaries, while evading conventional security measures. The campaign’s use of Docker images to propagate cryptojacking scripts underscores the importance of implementing robust container security practices.
Commando Cat 攻击活动凸显了滥用暴露的 Docker 远程 API 服务器所带来的威胁。通过利用 Docker 配置和利用 等开源工具,攻击者可以获得初始访问权限并部署恶意二进制文件,同时规避传统的安全措施。该活动使用 Docker 映像来传播加密劫持脚本,强调了实施强大的容器安全实践的重要性。

Trend solutions 趋势解决方案

The following security solutions are recommended for safeguarding Docker servers.
建议使用以下安全解决方案来保护 Docker 服务器。

  • Trend Vision One™ – Container Security – for automated container image and registry scanning that helps detect threats early on
    趋势愿景一™ – 容器安全 – 用于自动容器映像和注册表扫描,帮助及早发现威胁
  • Trend Cloud One™ – Workload Security – for protecting new and existing workloads against even unknown threats using techniques such as machine learning and virtual patching
    Trend Cloud One™ – 工作负载安全 – 使用机器学习和虚拟修补等技术保护新的和现有的工作负载免受未知威胁

The following protections exist to detect malicious activity and shield Trend customers from the attack discussed in this blog entry:
存在以下保护措施来检测恶意活动并保护 Trend 客户免受本博客文章中讨论的攻击:

  • 1010326 – Identified Docker Daemon Remote API Call
    1010326 – 识别的 Docker 守护程序远程 API 调用
  • 1008619 – Application – Docker
    1008619 – 应用程序 – Docker
  • 1010349 – Docker Daemon Remote API Calls
    1010349 – Docker 守护程序远程 API 调用

Trend Vision One hunting query
Trend Vision One 搜寻查询

The following text lists potentially useful queries for threat hunting within Vision One:
以下文本列出了 Vision One 中威胁搜寻的潜在有用查询:

eventId:100115 AND (remarks: POST_IMG_BLD_CRE OR remarks: POST_CON_CREATE) AND “”
eventId:100115 AND(备注:POST_IMG_BLD_CRE或备注:POST_CON_CREATE)和“”

原文始发于trendmicro:Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

版权声明:admin 发表于 2024年6月13日 下午5:29。
转载请注明:Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | CTF导航