image
A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names. Doki however is meant to provide a persistent capability for code-execution on an infected host, setting the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware, according to Intezer. The campaign starts with an increasingly common attack vector: The compromise of misconfigured Docker API ports. Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure. Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware — but Doki represents an evolution in payload. The Doki attackers are using an existing Ngrok-based botnet to spread the backdoor, via a network scanner that targets hardcoded ranges of IP addresses for cloud providers, such as Amazon Web Services and local cloud providers in Austria, China and the United Kingdom. Ngrok is a legitimate reverse proxy service that cybercriminals have been using for C2 communications with infected bot endpoints. The scanner looks for potentially vulnerable targets, gathers relevant information and uploads it to a Ngrok URL controlled by the attackers. The…

Source