'Doki' malware attacks Docker servers using Dogecoin

Misconfigured Docker API ports are being scanned and exploited by a threat that's evolved from the Ngrok Botnet campaign

Malware that has remained undetected for six months is exploiting misconfigured Docker API ports to launch malicious payloads, while abusing the Dogecoin cryptocurrency blockchain in the process.

The malware, known as ‘Doki’, is targeting misconfigured containerised environments hosted on Azure, AWS, and a number of other major cloud platforms, according to Intezer researchers, with attackers able to find publicly accessible Docker API ports and exploit them to establish their own containers.

Doki is then able to instal malware on targeted infrastructure based on code received from its operators, spawning and deleting containers during the process.

Advertisement - Article continues below

Doki serves as an undetectable Linux backdoor, and represents an evolution of the two-year-old Ngrok Botnet campaign. Alarmingly, it has also managed to evade every one of the 60 malware platforms listed on VirusTotal since it was first analysed in January 2020.

This particular strain is unusual in the sense that it abuses the Dogecoin cryptocurrency blockchain in order to attack these containerised environments. The attackers use a fairly ingenious method to prevent the botnet infrastructure from being taken down, which involves dynamically changing the command and control (C2) server's domain based on the transactions recorded on a Dogecoin wallet.

The C2 domain address, from which the payload is sent, changes based on the amount of Dogecoin in the wallet at any given time. When a cryptocurrency is added or removed from the wallet, the system encodes the transaction and creates a new unique address from which they can control the Doki malware.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Because of the secure and decentralised nature of Blockchain, this infrastructure can't be taken down by law enforcement, and new addresses can't be pre-empted by others as only the attackers can make transactions on their Dogecoin wallet.

“Linux threats are becoming more common. A contributing factor to this is the increasing shift and reliance on cloud environments, which are mostly based on Linux infrastructure,” said researchers Nicole Fishbein and Michael Kajiloti. “Hence, attackers have been adapting accordingly with new tools and techniques designed specifically for this infrastructure.”

Historically, the Ngrok Botnet has been one of the most prevalent threats abusing misconfigured Docker API ports in such a way to execute malware, they added. As part of the attack, the hackers would abuse Docker configuration features to elude container restrictions and execute various payloads from the host.

Such threats also deploy network scanners to identify the cloud providers’ IP ranges for additional potentially vulnerable targets. What makes it so dangerous is that it only takes a few hours from when a misconfigured Docker server is online to become infected.

Advertisement - Article continues below

Meanwhile, because the cryptocurrency blockchain the hackers abuse is immutable and decentralised, Fishbein and Kajiloti added, the method is resistant to infrastructure takedowns as well as domain filtering attempts.

Hackers can create any container as part of the attack, and execute code from the host machine by exploiting a container escape method. This is based on creating a new container, which is achieved by posting a ‘create’ API request.

Each container is based on an alpine image with curl installed, which isn’t malicious in and of itself, rather it’s abused to execute the attack with curl commands, activated as soon as the container’s up and running.

Related Resource

IT Pro 20/20: A quantum leap for security

The sixth issue of IT Pro 20/20 looks at the state of cyber security in 2020 and beyond

DOWNLOAD NOW

Hackers then abuse the Ngrok service, which provides secure tunnels connecting between local servers and the public internet, to craft unique URLs with a short lifetime, using them to download payloads during the attack by passing them to the curl-based image.

“The Ngrok Botnet campaign has been ongoing for over two years and is rather effective, infecting any misconfigured Docker API server in a matter of hours,” added Nicole Fishbein and Michael Kajiloti. “The incorporation of the unique and undetected Doki malware indicates the operation is continuing to evolve.

Advertisement - Article continues below

“This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure. Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”

The researchers have recommended that both companies and individuals who own cloud-based container servers must immediately fix their configuration settings to prevent exposure to the threat. This process includes checking for any exposed ports, verifying there are no foreign or unknown containers among existing containers, and monitoring excessive use of computing resources.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020