Botnet abuses Docker servers & crypto blockchain to deliver Doki backdoor

As user organizations move more of their business infrastructure off premises, cybercriminals become increasingly motivated to target Linux-based cloud environments, including Docker servers with misconfigured API ports.

And while cryptojacking schemes comprise some of the more conventional varieties of these Linux-based malware attacks, researchers have just disclosed the discovery of a Docker container attack that distributes a “fully undetectable” malicious backdoor that abuses the Dogecoin cryptocurrency blockchain for dynamic C2 domain generation.

Dubbed Doki, the backdoor is designed to execute malicious code sent by adversaries, and has secretly been in existence for more than six months already, according to researchers from Intezer, who described their findings in a blog post today.

Doki establishes C2 communication by querying the “dogechain.info API, a cryptocurrency block explorer for Dogecoin, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker.” That value is then hashed and converted to a subdomain that is appended to ddns.net in order to create a random C2 address.

“Using this technique, the attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly,” Intezer explains, noting that the blockchain technique also helps prevent law enforcement takedowns and thwarts domain filtering.

The report says the campaign is the work of the actors behind the Ngrok botnet, who is more typically known to infect victims with cryptominers.

“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign,” the report continues.

The botnet attackers exploit their victims by scanning for misconfigured, openly accessible Docker API ports, and then establish their own malware-serving containers on the host. The malicious containers are based on abused images that are available through Docker hub.

“The advantage of using a publicly available image is the attacker doesn’t need to hide it on Docker hub or other hosting solutions. Instead, the attackers can use an existing image and run their own logic and malware on top of it,” the report explains.

The scheme also abuses Ngrok — a service that uses encrypted tunneling to private local servers to the public internet — “to craft unique URLs with a short lifetime,” and then uses those URLs to download payloads such as Doki “by passing them to the curl based image,” Intezer explains.

Earlier this month, researchers from Aqua Security reported that attackers have been performing a new container attack technique in the wild, whereby they build their own malicious images on a targeted host instead of pulling preexisting ones from a public registry. This maneuver allows the adversaries to avoid static detection by scanners that are programmed to look for suspicious images.