‘Doki’ malware attacks Docker servers using Dogecoin

30 Jul, 2020

Malware that has remained undetected for six months is exploiting misconfigured Docker API ports to launch malicious payloads, while abusing the Dogecoin cryptocurrency blockchain in the process.

The malware, known as ‘Doki’, is targeting misconfigured containerised environments hosted on Azure, AWS, and a number of other major cloud platforms, according to Intezer researchers, with attackers able to find publicly accessible Docker API ports and exploit them to establish their own containers.

Doki is then able to instal malware on targeted infrastructure based on code received from its operators, spawning and deleting containers during the process.

Doki serves as an undetectable Linux backdoor, and represents an evolution of the two-year-old Ngrok Botnet campaign. Alarmingly, it has also managed to evade every one of the 60 malware platforms listed on VirusTotal since it was first analysed in January 2020.

This particular strain is unusual in the sense that it abuses the Dogecoin cryptocurrency blockchain in order to attack these containerised environments. The attackers use a fairly ingenious method to prevent the botnet infrastructure from being taken down, which involves dynamically changing the command and control (C2) server’s domain based on the transactions recorded on a Dogecoin wallet.

The C2 domain address, from which the payload is sent, changes based on the amount of Dogecoin in the wallet at any given time. When a cryptocurrency is added or removed from the wallet, the system encodes the transaction and creates a new unique address from which they can control the Doki malware.

Because of the secure and decentralised nature of Blockchain, this infrastructure can’t be taken down by law enforcement, and new addresses can’t be pre-empted by others as only the attackers can make transactions on their Dogecoin wallet.

“Linux threats are becoming more common. A contributing factor to this is the increasing shift and reliance on cloud environments, which are mostly based on Linux infrastructure,” said researchers Nicole Fishbein and Michael Kajiloti. “Hence, attackers have been adapting accordingly with new tools and techniques designed specifically for this infrastructure.”

Historically, the Ngrok Botnet has been one of the most prevalent threats abusing misconfigured Docker API ports in such a way to execute malware, they added. As part of the attack, the hackers would abuse Docker configuration features to elude container restrictions and execute various payloads from the host.

Such threats also deploy network scanners to identify the cloud providers’ IP ranges for additional potentially vulnerable targets. What makes it so dangerous is that it only takes a few hours from when a misconfigured Docker server is online to become infected.

The cloud news categorized.