Intezer announced that the company has detected a recent attack which includes completely undetected Linux malware. According to the announcement, users with publicly open Docker API access are at high risk to be hacked. The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal. It uses a method to contact its operator by abusing the Dogecoin cryptocurrency blockchain. It dynamically generates its C2 domain address. The attackers exploit publicly accessible Docker API ports to set up their own containers and execute the malware on the victims’ infrastructure.
Undetected for over six months
Doki utilizes the DynDNS service and a unique Domain Generation Algorithm based on the Dogecoin cryptocurrency blockchain in order to find the domain of its C2. Doki is multi-threaded and uses the embedTLS library for cryptographic functions and network communication. Doki creates a separate thread in order to handle all C2 communications. It generates a C2 domain using its unique DGA. The malware performs the following steps:
- Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address
- Perform SHA256 on the value returned under “sent”
- Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.
- Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net
Intezer also urges companies and individuals who own container servers in the cloud must immediately fix configuration to prevent exposure. This includes: Checking for any exposed ports, verifying there are no foreign or unknown containers among the existing containers, and monitoring excessive use of resources.