Doki Backdoor Infiltrates Docker Servers in the Cloud

docker doki backdoor malware

The malware is a new payload that uses Dogecoin wallets for its C2, and spreads via the Ngrok botnet.

A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names.

Doki however is meant to provide a persistent capability for code-execution on an infected host, setting the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware, according to Intezer.

The campaign starts with an increasingly common attack vector: The compromise of misconfigured Docker API ports. Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure. Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware — but Doki represents an evolution in payload.

The Doki attackers are using an existing Ngrok-based botnet to spread the backdoor, via a network scanner that targets hardcoded ranges of IP addresses for cloud providers, such as Amazon Web Services and local cloud providers in Austria, China and the United Kingdom. Ngrok is a legitimate reverse proxy service that cybercriminals have been using for C2 communications with infected bot endpoints. The scanner looks for potentially vulnerable targets, gathers relevant information and uploads it to a Ngrok URL controlled by the attackers. The attackers then compromise the new targets.

“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign,” according to researchers at Intezer, writing in an analysis this week. “The attackers are spawning and deleting a number of containers during this attack.”

The Infection Routine

After identifying a vulnerable server and gaining entry to a server via the open API, the attackers are setting up publicly available, curl-based images within the Docker Hub. These images aren’t malicious themselves, but they can be leveraged for malicious purposes, such as setting up a container and then escaping from it to gain broader access to the host. Intezer researchers noted that attackers could also compromise an existing image and “run their own logic and malware on top of it.”

Following from this, the next step in the attack is to create a container using a “create” API request.

“The body of the request contains configuration parameters for the container,” according to researchers. “One of the parameters is ‘bind,’ which lets the user configure which file or directory on the host machine to mount into a container.”

In this case, the container is configured to bind the /tmpXXXXXX directory to the root directory of the hosting server. This allows a container escape – i.e., the ability to break free of the boundaries of the attacker-created container in order to interact with other containers, and view and modify configurations.  Essentially this means that every file on the server’s filesystem can be accessed and modified, with the correct user permissions, from within the attacker-created container.

“This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure,” according to Intezer.

After that, “the attacker abuses Ngrok to craft unique URLs with a short lifetime and uses them to download payloads during the attack by passing them to the curl-based image,” the analysis explained. “The downloaded payload is saved in /tmpXXXXXX directory in the container.”

One of the first of these payloads is a downloader script, responsible for downloading and installing various second-stage malware binaries. Intezer recently noticed the new Doki payload being fetched as one of the second-stage samples.

The Doki Payload

Doki is a backdoor for Linux which executes any code received from its operators. It sports a unique feature: A previously undocumented method to find and contact its C2 domain dynamically in real time, by abusing the Dogecoin cryptocurrency blockchain.

It spins off a separate process to establish its own C2 communications, apart from that of the botnet. As Intezer explained, in order to generate a C2 domain using its unique domain-generation algorithm (DGA), it queries API, a Dogecoin cryptocurrency block explorer, to retrieve an amount that was spent from a hardcoded wallet address controlled by the attacker. That value is sent back and then hashed with SHA256; the malware then saves the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.

It can then construct a full address by appending the subdomain to, which is a domain offered by the legitimate DynDNS service.

“Using this technique the attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet,” explained the Intezer researchers. “Since only the attacker has control over the wallet, only he can control when and how much Dogecoin to transfer, and thus switch the domain accordingly. Additionally, since the blockchain is both immutable and decentralized, this novel method can prove to be quite resilient to both infrastructure takedowns from law enforcement and domain filtering attempts from security products.”

The researchers said that Doki has until now been “a fully undetected malware component.” To wit, they noted that as recently as this week, Doki had failed to be detected by any of the 60 malware detection engines in VirusTotal, despite having been uploaded to the repository on January 14. At this time of writing, 24 of the 60 engines are detecting the malware.

The Ngrok botnet is an urgent threat that is actively improving itself over time, Intezer warned, and adding new payloads beyond its typical cryptomining fare.

“The Ngrok botnet campaign has been ongoing for over two years and is rather effective, infecting any misconfigured Docker API server in a matter of hours,” researchers said. “The incorporation of the unique and undetected Doki malware indicates the operation is continuing to evolve.”

Threatpost has reached out to Intezer for any information regarding how widespread the Doki backdoor has become.

To avoid infection, Docker admins should check for any exposed ports, verify there are no foreign or unknown containers among the existing containers,and monitor excessive use of resources.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar.


Suggested articles