Cyber Soldier Feline Cryptojack Strikes Focus on Improperly Configured Docker Instances
The individual behind the moniker Cyber Soldier Feline has been identified as the mastermind behind an ongoing cryptojacking offensive that exploits improperly secured Docker instances to deploy cryptocurrency miners for financial purposes.
“The criminals employed the cmd.cat/chattr docker image container that acquires the payload from their own command-and-control (C&C) infrastructure,” Study authors Sunil Bharti and Shubham Singh explained in a detailed examination published on Thursday.
Cyber Soldier Feline, characterized for utilizing the open-source Commando project to generate an innocuous container, was initially recorded earlier this year by Cado Security.
The assaults are recognized by the focus on erroneously configured Docker remote API servers to deploy a Docker image named cmd.cat/chattr, which is subsequently utilized as a foundation to create a container and escape its limitations using the chroot command, thereby gaining entry to the host operating system.
The last phase involves acquiring the rogue miner binary via a curl or wget command from a C&C server (“leetdbs.anondns[.]net/z”) by executing a shell script. The binary is suspected to be ZiggyStarTux, an open-source IRC bot derived from the Kaiten (also known as Tsunami) malware.
“The importance of this offensive hinges on the utilization of Docker images to deploy cryptojacking scripts on compromised systems,” the analysts pointed out. “This strategy allows attackers to capitalize on vulnerabilities in Docker setups while eluding detection by security tools.”
The disclosure coincides with Akamai’s revelation of dated security vulnerabilities in ThinkPHP applications (e.g., CVE-2018-20062 and CVE-2019-9082) being abused by a suspected Chinese-speaking cyber actor to introduce a web shell named Dama as part of a campaign that began on October 17, 2023.
“The exploit tries to obtain additional concealed code from another compromised ThinkPHP server to establish initial presence,” Akamai experts Ron Mankivsky and Maxim Zavodchik outlined. “After successfully exploiting the system, the intruders will deploy a Chinese language web shell named Dama to retain continuous access to the server.”
The web shell is furnished with various sophisticated functionalities to amass system information, upload files, scan network ports, elevate privileges, and navigate the file system, the latter enabling threat actors to execute actions such as file manipulation, removal, and timestamp alteration for camouflaging intentions.
“The recent offensives originated by a Chinese-speaking adversary underscore a prevailing pattern of attackers utilizing a fully developed web shell, designed for advanced control of victims,” the experts remarked. “Interestingly, not all targeted clients were utilizing ThinkPHP, indicating that the attackers may be haphazardly focusing on a wide spectrum of systems.”
About Author
