New Linux malware Doki targeting Dockers machines using Exposed API

docker

Researchers from Intezer Labs found out an undetectable linux malware residing in Docker based machines that has the ability to exploit undocumented techniques without being detected using public exposed API’s by abusing Ngrok.

Dubbed as ‘Doki’ “the multi-threaded malware leverages “an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address even the samples being publicly available in VirusTotal

According to Intezer, the Key Findings are

  • Ngrok Mining Botnet is an active campaign targeting exposed Docker servers in AWS, Azure, and other cloud platforms. It has been active for at least two years.

  • They have detected a recent attack which includes a completely undetected Linux malware and a previously undocumented technique, using a blockchain wallet for generating C&C domain names.

  • Anyone with publicly open Docker API access is at high risk to be hacked within the span of just a few hours.
  • This is probable due to the hackers’ automated and continuous internet-wide scanning for vulnerable victims.

  • The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal since it was first analyzed on January 14, 2020.

  • The attacker is using the infected victims to search for additional vulnerable cloud servers.

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and deploy it as one package. ngrok is a cross-platform application that enables developers to expose a local development server to the Internet with minimal effort.

According to researchers the attackers would scan publicly available API’s for misconfigured Docker containers and exploit those machines to install their own container by using a Docker apline image from Docker Hub to carryout malicious activities.

“The advantage of using a publicly available image is the attacker doesn’t need to hide it on Docker hub or other hosting solutions. Instead, the attackers can use an existing image and run their own logic and malware on top of it.”

After creating the Container in the victim’s machine the attacker binds /tmpXXXXXX directory to the root directory leading to an ability every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container. The attacker abuses Ngrok to craft unique URLs with a short lifetime and uses them to download payloads during the attack by passing them to the curl based image. The downloaded payload is saved in /tmpXXXXXX directory in the container.

Image: Intezer

The malware starts by generating a C2 domain using its unique DGA. In order to construct the C2 address the malware performs the following steps:


  • Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address

  • Perform SHA256 on the value returned under “sent”

  • Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.

  • Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net

Intezer recommend to check configurations of your docker machines. You can also run our YARA rule on the syslog file of your Docker server to check if you have been infected by this campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *