As more businesses move their workloads to cloud environments, Linux threats are becoming more common, and cybercriminals have devised new tools and techniques to launch attacks against Linux infrastructure. One technique they often use is to search for publicly available Docker servers and then abuse misconfigured Docker API ports to set up their own containers and run malware on their victims' infrastructure. The Ngrok botnet is one of the longest running attack campaigns exploiting this technique and a new report from Intezer Labs shows that it only takes a few hours for a new misconfigured Docker server to be infected with this technique. Bell. However, the company recently detected a new malware payload, which it dubbed Doki, which differs from the usual cryptominers deployed in this type of attack. What sets Doki apart from other malware is that it exploits the Dogecoin API to determine the URL of its operator's Command and Control (C&C) server. The malware managed to stay in the shadows and go unnoticed for more than six months, despite the fact that Doki samples are publicly available on VirusTotal.
Doki Malware
Once hackers abuse the Docker API to deploy new servers in a company's cloud infrastructure, the servers, running a version of Alpine Linux, become infected with crypto-mining malware. as well as by Doki. According to Intezer researchers, the goal of Doki is to allow hackers to primarily control the servers they have hijacked to ensure that they continue their crypto mining operations. However, the new malware differs from other backdoor Trojans by using the Dogecoin API to determine the URL of the C&C server to connect to for further instructions. Doki uses a dynamic algorithm, known as DGA or Domain Generation Algorithm, to determine the C&C direction using the Dogecoin API. Ngrok botnet operators can also easily change the server from which the malware receives its requests by making a single transaction from a Dogecoin wallet they control. If DynDNS receives an abuse report on the current Doki C&C URL and the site is removed, the cybercriminals only need to complete a new transaction, determine the subdomain value, and create a new account. DynDNS and claim the subdomain. This clever tactic prevents companies and even law enforcement from dismantling Doki's back-end infrastructure, since they would have to take control of Ngrok's Dogecoin wallet first. via ZDNet