Security researchers at Intezer Labs detected a new Linux malware dubbed “Doki” and cyber attack that uses blockchain wallet for generating command and control (C2) domain names.
As used in previous campaigns such as Ngrok Botnet, the attackers use a popular technique to scan for misconfigured Docker API ports exposed on public-facing Docker servers.
Once exploited, the actors then install their own containers and run malware on the target victim’s cloud infrastructure.
According to Intezer, the cyber campaign has now added a different malware payload “Doki” and attack method:
“Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal.”
Attack method
As part of the attack, the hackers create new containers based on an alpine image with curl installed.
Since the same image is fully available on Docker hub, the image itself would not be detected as malicious. However, the actors abuse the image to take advantage of curl software and commands in order to carry out malicious activities.
Furthermore, the attackers use a container escape method to execute code from the hosting machine. They then abuse the bind parameter to configure files/directories on the host system to mount into a container.
In other words, every file on the host server’s filesystem could then be accessed or changed, from within the container.
Once the host has been compromised, the attacker can then take control of the cron utility on the host.
“The attacker modifies the host’s cron to execute the downloaded payload every minute. We observed two types of payloads, one is a network scanner script and the other is a downloader script,” Intezer explained.
Furthermore, the attackers also use scanner utilities (zmap, zgrap, and jq) to scan for additional victims and open ports associated with Redis, Docker, SSH and HTTP.
A script also gathers the information and uploads it to another Ngrok URL. To add, the downloader script then installs various malware binaries, such as the Doki malware.
Doki malware
According to Intezer, Doki is a backdoor for Linux and utilizes the DynDNS service and a unique Domain Generation Algorithm (DGA), based on the Dogecoin cryptocurrency blockchain. The malware author uses DGA to find the domain of its C2 in real time.
Furthermore, Doki has somehow has been able to stay undetected for over six months.
Intezer describes how Doki performs the following steps to generate a C2 domain using DGA:
- Query dogechain.info API (a Dogecoin cryptocurrency block explorer) for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker.
- Perform SHA256 on the value returned under “sent”.
- Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.
- Construct the full address by appending the subdomain to ddns.net.
What is even more ominous, the attackers can control which address the malware can connect to by only transferring specific amounts of Dogecoin from their wallet. Thus, they can switch C2 domains as needed.
Mitigations
Organizations and users should immediately lock down their container configurations, such as checking for exposed ports, verifying only authorized containers are running and monitoring for excessive resource utilization.
Readers can also check out NIST Special Publication (SP 800-190) Application Container Security Guide for more in depth guidance on container security. Also, check out other related articles to Docker security below.