{"id":41172,"date":"2020-07-30T10:49:14","date_gmt":"2020-07-30T10:49:14","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=5e8aa5c5deae3fe7f086b5dd32738995"},"modified":"2020-07-30T10:49:14","modified_gmt":"2020-07-30T10:49:14","slug":"doki-malware-attacks-docker-servers-using-dogecoin","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/doki-malware-attacks-docker-servers-using-dogecoin\/","title":{"rendered":"‘Doki’ malware attacks Docker servers using Dogecoin"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
30 Jul, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Malware<\/a>\u00a0that has remained undetected for six months is exploiting misconfigured Docker API ports to launch malicious payloads, while abusing the Dogecoin cryptocurrency blockchain in the process.<\/span><\/p>\n

The malware, known as \u2018Doki\u2019, is targeting misconfigured containerised environments hosted on Azure, AWS, and a number of other major cloud platforms, according to\u00a0Intezer researchers<\/a>, with attackers able to find publicly accessible\u00a0Docker<\/a>\u00a0API ports and exploit them to establish their own containers.<\/span><\/p>\n

\n

Doki is then able to instal\u00a0malware on targeted infrastructure based on code received from its operators, spawning and deleting containers during the process.<\/span><\/p>\n

\n
\n
\n

Doki serves as an undetectable Linux backdoor, and represents an evolution of the two-year-old Ngrok Botnet campaign. Alarmingly, it has also managed to evade every one of the 60 malware platforms listed on\u00a0VirusTotal<\/a>\u00a0since it was first analysed in January 2020.<\/span><\/p>\n

This particular strain is unusual in the sense that it abuses the Dogecoin\u00a0cryptocurrency blockchain<\/a>\u00a0in order to attack these containerised environments.<\/span>\u00a0The attackers use a fairly\u00a0ingenious method to prevent the botnet infrastructure from being taken down, which involves\u00a0dynamically changing the command and control (C2) server’s domain based on the transactions recorded on a Dogecoin wallet.<\/p>\n

The C2 domain address, from which the payload is sent, changes based on the amount of Dogecoin in the wallet at any given\u00a0time. When a cryptocurrency is added or removed from the wallet, the system encodes the transaction and creates a new unique address from which they can control the Doki malware.<\/p>\n<\/div>\n

\n
\n
\n
\n
\n

Because of the secure and decentralised nature of Blockchain, this infrastructure can’t be taken down by law enforcement, and new addresses can’t be pre-empted by others as only the attackers can make transactions on their Dogecoin wallet.<\/p>\n