The Doki Malware
Recently, security researchers at Intezer Labs have detected a new form of backdoor malware known as Doki malware. The hackers behind this threat are known as the Ngrok group and their Doki backdoor virus is reported to attack badly-configured and insecure Docker installations that have publicly available APIs.
One of the possible ways the attack could occur is when the Docker API is exploited to add new Alpine Linux servers to the cloud infrastructure of the targeted user. Afterwards, those new servers get infected with the Doki malware and maybe with a cryptocurrency-mining malware too.
The Doki malware samples uploaded to VirusTotal suggest that the threat has been around for over six months. Despite that, at the moment of writing, this malware is still able to stay undetected by most antivirus solutions and scanners out there. According to VirusTotal, there are currently only six antivirus engines capable of spotting and intercepting the Doki malware.
How this malware works
Unlike other similar backdoors that rely on specific IP addresses or URLs, Doki uses DGA (Domain Generation Algorithm) and the API of the cryptocurrency known as Dogecoin in order to determine what its C&C server’s address is.
Here is a quick overview of how the attack takes place:
First, the dogechain.info API for the spent/sent amount is requested by the malware. The format of the request is https://dogechain.info/api/v1/address/sent/enjaddress.
The returned value that is used is SHA256 and the subdomain name is the first twelve characters of the hexadecimal value that is obtained.
The result of this is the forming of command and control server’s address by the adding of ddns.net to the subdomain.
All of this allows the hackers to their C&C server address through the simple execution of a Dogecoin wallet transaction. In case a complaint is received by DynDNS about the occurring URL abuse, the Ngrok members can easily carry out a new transaction, get the value for the subdomain, make a new account, and then use the corresponding subdomain.
The main reason this scheme is so effective and difficult to intercept is that, in order to seize the backend infrastructure of Doki, law enforcement executives would have to gain access and control over the Dogecoin virtual purse of the hackers, which is next to impossible without the corresponding private encryption key.
According to Intezer, it usually takes no more than a couple of hours from the appearance of a new poorly configured Docker server to its infection by the Doki malware. Once the attack is complete, the container escape techniques used by the malware allow the hackers behind it to acquire unlimited control over the infrastructure of the victim.
Inside VirusTotal’s report on the Doki malware, users can find a list of Indicators of Compromise and another one with defensive practices, both of which can help secure potentially vulnerable Docker servers and prevent attacks from the Doki malware.