Doki Malware Set Against Docker Servers: Botnets Used For Distribution

Doki malware logo image

Security researchers have discovered that the Doki malware is actively being used by hacking groups to infect Docker servers. All popular web hosting companies and enterprise networks are the subject of the ongoing attacks. One of the reasons why this attack is seen as particularly dangerous is the fact that multiple botnets have been used to distribute it.

Docker Servers Are Under Attack By The Doki Malware!

Docker servers are being attacked by a new malware known as Doki. All of this is done by the Ngrok Botnet, a dangerous network of infected hosts which has been active for at least two years. The malware itself is a previously undetected Linux virus which takes advantage of the large number of compromised hosts. This botnet is configured to expose Docker servers which are hosted on popular cloud platforms such as Azure and Amazon AWS.

The used technique is completely new — a blockchain wallet is generating the command and control servers used for hacker communications. The cryptocurrency in use for this was Dogecoin — its algorithm was abused into dynamically generating the address which was used create the required address over which the criminal communications is made. As this constantly produces new addresses the malware has remained undetected for about 6 months.


Also Read Stealthworker Malware Used To Hijack WordPress Sites


The flaw exploits misconfigured Docker containers – the most commonly used method is by exploiting images containing the curl software – a program which is used to retrieve files from remote locations. The remote attackers can deploy malware-containing images onto the Internet – common phishing strategies can be employed in order to make users download and deploy it onto their servers.


Also Read How To Test Your WordPress Site Security


While the botnet network can search for vulnerable Docker instances, at the same time the criminal groups may also use various phishing strategies in order to spread the infected copies. The Doki malware works by setting up parameters and permissions on the cloud hosting service by allowing the remote attackers to access them. The Ngrok botnet also includes a script which establishes a secure tunnel between the infected hosts and the hackers. The URLs are unique and maintained only fort a short lifetime. Once activated they will download the remote scripts automatically. Doki malware cases can be configured to run any of the following actions:

  • Additional Virus Infections — The Doki malware can be used to deploy other viruses onto the infected machines. The most common ones are cryptocurrency miners — scripts that will retrieve performance-intensive tasks from a remote host. For every completed and reported task the hackers will receive cryptocurency assets as payment.
  • System Manipulation — The Doki Malware can be used to manipulate the system in order to reconfigure the contaminated hosts.
  • Host Takeover — Using the Doki malware the hackers can completely take over the infected servers by taking control or stealing the stored files.

If you are running a Docker container we recommend that a thorough security check is made. Review the permissions of the folders and file systems in order to see if anyone else besides you has access to the stored data.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.