As more businesses shift their workloads to cloud environments, Linux threats are becoming increasingly common and cybercriminals have devised new tools and techniques to launch attacks against Linux infrastructure.
One technique they often employ is scanning for publicly accessible Docker servers and then abusing misconfigured Docker API ports to set up their own containers and execute malware on their victim’s infrastructure. The Ngrok botnet is one of the longest ongoing attack campaigns that leverages this technique and a new report from Intezer Labs shows that it takes only a few hours for a new misconfigured Docker server to be infected by this campaign.
Recently though, the company detected a new malware payload, which they dubbed Doki, that differs from the usual cryptominers typically deployed in this kind of attack. What sets Doki apart from other malware is that it leverages the Dogecoin API to determine the URL of the its operator’s command and control (C&C) server.
The malware has managed to remain in the shadows and undetected for over six months despite the fact that samples of Doki are publicly available in VirusTotal.
Once the hackers abuse the Docker API to deploy new servers inside a company’s cloud infrastructure, the servers, which run a version of Alpine Linux, are then infected with crypto-mining malware as well as Doki.
According to Intezer’s researchers, Doki’s purpose is to allow hackers to main control over the servers they’ve hijacked to make sure that their cryptomining operations continue. However, the new malware differs from other backdoor trojans by using the Dogecoin API to determine the URL of the C&C server it needs to connect to in order to receive new instructions.
Doki uses a dynamic algorithm, known as a DGA or domain generation algorithm, to determine the C&C address using the Dogecoin API. The operators of the Ngrok botnet can also easily change the server where the malware receives its commands from by making a single transaction from within a Dogecoin wallet they control.
If DynDNS happens to receive an abuse report about the current Doki C&C URL and the site is taken down, the cybercriminals only need to make a new transaction, determine the subdomain value and set up a new DynDNS account and claim the subdomain. This clever tactic prevents businesses and even law enforcement from dismantling Doki’s backend infrastructure as they would need to take over control of the Dogecoin wallet from the Ngrok first.