The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.

A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names.

Doki however is meant to provide a persistent capability for code-execution on an infected host, setting the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware, according to Intezer.

The campaign starts with an increasingly common attack vector: The compromise of misconfigured Docker API ports. Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure. Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware — but Doki represents an evolution in payload.

The Doki attackers are using an existing Ngrok-based botnet to spread the backdoor, via a network scanner that targets hardcoded ranges of IP addresses for cloud providers, such as Amazon Web Services and local cloud providers in Austria, China and the United Kingdom. Ngrok is a legitimate reverse proxy service that cybercriminals have been using for C2 communications with infected bot endpoints. The scanner looks for potentially vulnerable targets, gathers relevant information and uploads it to a Ngrok URL controlled by the attackers. The attackers then compromise the new targets.

“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign,” according to researchers at Intezer, writing in an analysis this week. “The attackers are spawning and deleting a number of containers during this attack.”

#cloud security #malware #apis #cloud #dga #docker #docker hub #doki