New Linux malware uses Dogecoin API to find C&C server addresses

Security researchers discover Doki, a new backdoor malware strain targeting Docker instances.
Written by Catalin Cimpanu, Contributor
Dogecoin logo

While Linux malware was once sitting on the fringes of the malware ecosystem, today, new Linux threats are being discovered on a weekly basis.

The latest finding comes from Intezer Labs. In a report shared with ZDNet this week, the company analyzed Doki, a new backdoor trojan they spotted part of the arsenal of an old threat actor known for targeting web servers for crypto-mining purposes.

The threat actor, known as Ngrok because of its initial penchant for using the Ngrok service for hosting control and command (C&C) servers, has been active since at least late 2018.

Intezer Labs researchers say that in recent attacks carried out by the Ngrok group this year, the hackers have targeted Docker installations where the management API has been left exposed online.

The hackers abused the Docker API to deploy new servers inside a company's cloud infrastructure. The servers, running a version of Alpine Linux, were then infected with crypto-mining malware, but also Doki.

Image: Intezer

How Doki uses Dogecoin API

Researchers said Doki's purpose was to allow hackers control over their newly-deployed Alpine Linux servers to make sure the crypto-mining operations were running as intended.

However, while its purpose and use might look banale, under the hood, Intezer says Doki is different from other similar backdoor trojans.

The most obvious detail was how Doki determined the URL of the C&C server it needed to connect for new instructions.

While some malware strains connect to raw IP addresses or hardcoded URLs included in their source code, Doki used a dynamic algorithm -- known as a DGA (domain generation algorithm) -- to determine the C&C address using the Dogecoin API.

The process, as reverse-engineered by Intezer researchers, is detailed below:

  1. Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the valuet hat was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address}
  2. Perform SHA256 on the value returned under "sent"
  3. Save the first 12 characters from the hex-string representation of the SHA256 value,to be used as the subdomain.
  4. Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net

What all the steps above mean is that the Doki creators, the Ngrok gang, can change the server where Doki gets its commands by making one single transaction from within a Dogecoin wallet they control.

If DynDNS (ddns.net) receives an abuse report about the current Doki C&C URL and takes it down, the Ngrok gang only has to make a new transaction, determine the subdomain value, and set up a new DynDNS account and grab the subdomain.

This mechanism, clever as it is, is also an effective way of preventing law enforcement from taking down the Doki backend infrastructure, as they'd need to take control over the Ngrok gang's Dogecoin wallet, something that would be impossible without the wallet's cryptographic key.

Intezer says that based on samples submitted to the VirusTotal web scanner, Doki appears to have been around since January this year. However, Intezer also points out that despite being around for more than six months, the malware has remained undetected on most of today's VirusTotal Linux scanning engines.

Increase in attacks targeting Docker instances

Furthermore, while the Doki malware C&C mechanism is something clever and novel, the real threat here is the constant attacks on Docker servers.

Over the last several months, Docker servers have been increasingly targeted by malware operators, and especially by crypto-mining gangs.

Just over the last month, cyber-security firms have detailed several different crypto-mining campaigns that targeted misconfigured Docker APIs to deploy new Linux servers where they run crypto-mining malware to make a profit using the victim's infrastructure.

This includes reports from Palo Alto Networks, and two reports from Aqua [1, 2]. Furthermore, cyber-security firm Trend Micro also reported on a series of attacks where hackers targeted Docker servers to install DDoS malware, a rare case where hackers haven't opted for a crypto-mining payload.

All in all, the conclusion here is that companies running Docker as their virtualization software in the cloud need to make sure the management interface's API is not exposed to the internet -- a small misconfiguration that allows third-parties to control their Docker install.

In its report, Intezer specifically mentions this issue, warning that the Ngrok gang was so aggressive and persistent in their scanning and attacks that it usually deployed its malware within hours after a Docker server became exposed online.

Cryptocurrency cyberattacks and breaches of 2019 (in pictures)

Editorial standards