'Doki' malware attacks Docker servers using Dogecoin

A graphic of the Doge cryptocurrency

Malware that has remained undetected for six months is exploiting misconfigured Docker API ports to launch malicious payloads, while abusing the Dogecoin cryptocurrency blockchain in the process.

The malware, known as ‘Doki’, is targeting misconfigured containerised environments hosted on Azure, AWS, and a number of other major cloud platforms, according to Intezer researchers, with attackers able to find publicly accessible Docker API ports and exploit them to establish their own containers.

Doki is then able to instal malware on targeted infrastructure based on code received from its operators, spawning and deleting containers during the process.

Doki serves as an undetectable Linux backdoor, and represents an evolution of the two-year-old Ngrok Botnet campaign. Alarmingly, it has also managed to evade every one of the 60 malware platforms listed on VirusTotal since it was first analysed in January 2020.

This particular strain is unusual in the sense that it abuses the Dogecoin cryptocurrency blockchain in order to attack these containerised environments. The attackers use a fairly ingenious method to prevent the botnet infrastructure from being taken down, which involves dynamically changing the command and control (C2) server's domain based on the transactions recorded on a Dogecoin wallet.

The C2 domain address, from which the payload is sent, changes based on the amount of Dogecoin in the wallet at any given time. When a cryptocurrency is added or removed from the wallet, the system encodes the transaction and creates a new unique address from which they can control the Doki malware.

Because of the secure and decentralised nature of Blockchain, this infrastructure can't be taken down by law enforcement, and new addresses can't be pre-empted by others as only the attackers can make transactions on their Dogecoin wallet.

“Linux threats are becoming more common. A contributing factor to this is the increasing shift and reliance on cloud environments, which are mostly based on Linux infrastructure,” said researchers Nicole Fishbein and Michael Kajiloti. “Hence, attackers have been adapting accordingly with new tools and techniques designed specifically for this infrastructure.”

Historically, the Ngrok Botnet has been one of the most prevalent threats abusing misconfigured Docker API ports in such a way to execute malware, they added. As part of the attack, the hackers would abuse Docker configuration features to elude container restrictions and execute various payloads from the host.

Such threats also deploy network scanners to identify the cloud providers’ IP ranges for additional potentially vulnerable targets. What makes it so dangerous is that it only takes a few hours from when a misconfigured Docker server is online to become infected.

Meanwhile, because the cryptocurrency blockchain the hackers abuse is immutable and decentralised, Fishbein and Kajiloti added, the method is resistant to infrastructure takedowns as well as domain filtering attempts.

Hackers can create any container as part of the attack, and execute code from the host machine by exploiting a container escape method. This is based on creating a new container, which is achieved by posting a ‘create’ API request.

Each container is based on an alpine image with curl installed, which isn’t malicious in and of itself, rather it’s abused to execute the attack with curl commands, activated as soon as the container’s up and running.


IT Pro 20/20: A quantum leap for security

The sixth issue of IT Pro 20/20 looks at the state of cyber security in 2020 and beyond


Hackers then abuse the Ngrok service, which provides secure tunnels connecting between local servers and the public internet, to craft unique URLs with a short lifetime, using them to download payloads during the attack by passing them to the curl-based image.

“The Ngrok Botnet campaign has been ongoing for over two years and is rather effective, infecting any misconfigured Docker API server in a matter of hours,” added Nicole Fishbein and Michael Kajiloti. “The incorporation of the unique and undetected Doki malware indicates the operation is continuing to evolve.

“This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure. Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”

The researchers have recommended that both companies and individuals who own cloud-based container servers must immediately fix their configuration settings to prevent exposure to the threat. This process includes checking for any exposed ports, verifying there are no foreign or unknown containers among existing containers, and monitoring excessive use of computing resources.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.