User organizations have taken more of their business infrastructure off-premises lately. As a result, cybercriminals have attempted to target Linux-based cloud environments, such as Docker servers, with misconfigured API ports.
Some of these scamming schemes comprise more conventional varieties of Linux-based malware attacks. However, researchers recently discovered a Docker container attack. It distributes an undetectable malicious backdoor that abuses the Dogecoin crypto blockchain for dynamic C2 domain generation.
The backdoor, dubbed Doki, is designed to execute malicious code sent by adversaries. According to researchers from Intezer, it has secretly existed for more than six months already.
Doki builds C2 communication by querying the dogechain.info API for the value sent out from a hardcoded wallet address that the attacker controls. After that, this value is hashed and converted to a subdomain appended to ddns.net to create a random C2 address.
Intezer explained that, using this technique, the attacker controls which address the malware will contact by transferring Dogecoin from his/her wallet.
The attacker is the only one who has control over the wallet. So, only he/she can control when and how much Dogecoin to transfer. Additionally, the blockchain technique helps prevent law enforcement takedowns, thwarting domain filtering.
According to the report, the campaign is the work of the actors behind the Ngrok botnet, which is more typically likely to infect victims with crypto miners.
As evidence shows, when a new misconfigured Docker server is up online, it takes only a few hours to become infected by this campaign.
How does botnet operate?
The botnet attackers scan for openly accessible, misconfigured Docker API ports, thus exploiting their victims. Then they establish their own malware-serving containers on the host. These malicious containers are based on highly used images available through the Docker hub.
The attackers don’t need to hide a publicly available image on the Docker hub, which is a big advantage for them. Instead, they can use an existing image and run their malware and logic on top of it.