Linux threats are popping up in the headlines on a weekly basis.
Intezer researchers have spotted Doki, an entirely undetectable Linux malware, exploiting undocumented tactics to stay unnoticed and target publicly accessible Docker servers.
What should you know about the attacks?
- The threat actors are seeking out publicly accessible Docker API ports and exploiting them to set up their own containers and execute malicious activities.
- The containers created during the attack are based on an alpine image with curl installed.
- Containers created during the attack are configured to bind /tmpXXXXXX directory to the root directory of the hosting server. This signifies that every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container.
- The operators abuse Ngrok to build unique URLs with a short lifespan and use them to download payloads.
More about Doki
- Doki is a Linux backdoor and executes codes received from its operators.
- It exercises the DynDNS service and a unique Domain Generation Algorithm (DGA) based on the Dogecoin cryptocurrency blockchain to find the domain of its C&C in real-time.
- This malware is an entirely undetected backdoor and has managed to stay under the radar for more than six months.
Recent attacks on Docker servers
Over the last few months, Docker servers are being increasingly targeted by hackers, especially by crypto-mining groups.
- Over the last month, several cryptomining campaigns targeted misconfigured Docker APIs to disseminate new Linux servers running crypto-mining malware.
- In another series of attacks, threat actors targeted Docker servers to install DDoS malware.
The Ngrok Botnet campaign has been in force for more than a couple of years and can infect any misconfigured Docker API in a matter of hours. The campaign has evolved with the incorporation of the Doki malware and is turning out to be a dangerous one.
The bottom line is that organizations running Docker in the cloud need to ensure that the management interface’s API is not exposed to the Internet.