Threat actors have targeted internet-exposed Docker API endpoints with the advanced Commando Cat cryptojacking campaign since the beginning of the year, The Hacker News reports.
Attacks commenced with the infiltration of vulnerable Docker instances, which were later exploited to facilitate the delivery of additional payloads and shell scripts before proceeding with credential exfiltration and the deployment of a Base64-encoded payload that delivers the XMRig cryptocurrency mining malware, according to a report from Cado Security Labs.
"The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one. This makes it versatile and able to extract as much value from infected machines as possible," said researchers.
Details regarding the Command Cat attackers' identity remain uncertain but researchers suspected them as a copycat operation owing to similarities between the command-and-control IP addresses and shell scripts used in the campaign and those leveraged by TeamTNT and other cryptojacking operations.
