Due to frequent cyber-attacks, organizations move their IT infrastructure to the cloud.

In response, hackers are now targeting Linux cloud environments like Docker through misconfigured ports. 

Security researchers have discovered a Docker container distributing malicious backdoors. It can potentially abuse the cryptocurrency Dogecoin, as crypto-frauds involve some typical varieties of Linux-based attacks.

This backdoor malware is dubbed Doki, existing secretly for 6 months, say Intezer’s researchers. Doki makes C2 communications after it queries the dodgechain.info API, which is the block explorer used for Dogecoin. 

After querying for the spent value from the hardcoded and controlled wallet address of the attacker. Now, to create the arbitrary C2 address, the value is hashed and then converted into a subdomain. 

The relation with Ngrok botnet

Crypto and Docker Receive Botnet Abuses for Doki Backdoor Docker news Security

Intezer explains that attackers use this technique to transfer some Dodgecoins from their wallets and controls the destination of the malware to execute further damage. The report also cites that the attackers behind this campaign are the same ones behind the botnet, Ngrok that infects crypto miners. 

Furthermore, they also explained that the time taken to infect misconfigured Docker servers is only a matter of a few hours. Cybercriminals exploit openly accessible and misconfigured Docker ports to establish their malicious containers with available images via Docker hub

The idea behind using such images available publicly is that the attackers would not need to conceal it on hosting solutions or Docker hub. They can use existing images to execute their codes and malicious intent.     

Read the original post here.