As more companies shift their workloads to cloud environments, Linux threats have gotten more and more frequent and cybercriminals have devised new instruments and methods to launch assaults in opposition to Linux infrastructure.
One technique they usually make use of is scanning for publicly accessible Docker servers after which abusing misconfigured Docker API ports to arrange their very own containers and execute the malware on their sufferer’s infrastructure. The Ngrok botnet is one of the longest ongoing assault campaigns that leverage this system and a brand new report from Intezer Labs exhibits that it takes only some hours for a brand new misconfigured Docker server to be contaminated by this marketing campaign.
Just lately although, the corporate detected a brand new malware payload, which they dubbed Doki, that differs from the standard crypto miners usually deployed in this sort of assault. What units Doki aside from different malware is that it leverages the Dogecoin API to find out the URL of its operator’s command and management (C&C) server.
The malware has managed to stay in the shadows and undetected for over six months despite the fact that samples of Doki are publicly out there in VirusTotal.
Doki malware
Once the hackers abuse the Docker API to deploy new servers inside an organization’s cloud infrastructure, the servers, which run a model of Alpine Linux, are then contaminated with crypto-mining malware in addition to Doki.
In response to Intezer’s researchers, Doki’s purpose is to permit hackers to fundamental management over the servers they’ve hijacked to ensure that their crypto mining operations proceed. Nonetheless, the brand new malware differs from different backdoor trojans by utilizing the Dogecoin API to find out the URL of the C&C server it wants to hook up with in order to obtain new directions.
Doki makes use of a dynamic algorithm, often called a DGA or area era algorithm, to find out the C&C tackle utilizing the Dogecoin API. The operators of the Ngrok botnet also can simply change the server the place the malware receives its instructions from by making a single transaction from inside a Dogecoin wallet they management.