Doki Malware Set Against Docker Servers: Botnets Used For Distribution

Doki malware logo image

Security researchers have discovered that the Doki malware is actively being used by hacking groups to infect Docker servers. All popular web hosting companies and enterprise networks are the subject of the ongoing attacks. One of the reasons why this attack is seen as particularly dangerous is the fact that multiple botnets have been used to distribute it.

Docker Servers Are Under Attack By The Doki Malware!

Docker servers are being attacked by a new malware known as Doki. All of this is done by the Ngrok Botnet, a dangerous network of infected hosts which has been active for at least two years. The malware itself is a previously undetected Linux virus which takes advantage of the large number of compromised hosts. This botnet is configured to expose Docker servers which are hosted on popular cloud platforms such as Azure and Amazon AWS.

The used technique is completely new — a blockchain wallet is generating the command and control servers used for hacker communications. The cryptocurrency in use for this was Dogecoin — its algorithm was abused into dynamically generating the address which was used create the required address over which the criminal communications is made. As this constantly produces new addresses the malware has remained undetected for about 6 months.


Also Read Stealthworker Malware Used To Hijack WordPress Sites


The flaw exploits misconfigured Docker containers – the most commonly used method is by exploiting images containing the curl software – a program which is used to retrieve files from remote locations. The remote attackers can deploy malware-containing images onto the Internet – common phishing strategies can be employed in order to make users download and deploy it onto their servers.


Also Read How To Test Your WordPress Site Security


While the botnet network can search for vulnerable Docker instances, at the same time the criminal groups may also use various phishing strategies in order to spread the infected copies. The Doki malware works by setting up parameters and permissions on the cloud hosting service by allowing the remote attackers to access them. The Ngrok botnet also includes a script which establishes a secure tunnel between the infected hosts and the hackers. The URLs are unique and maintained only fort a short lifetime. Once activated they will download the remote scripts automatically. Doki malware cases can be configured to run any of the following actions:

  • Additional Virus Infections — The Doki malware can be used to deploy other viruses onto the infected machines. The most common ones are cryptocurrency miners — scripts that will retrieve performance-intensive tasks from a remote host. For every completed and reported task the hackers will receive cryptocurency assets as payment.
  • System Manipulation — The Doki Malware can be used to manipulate the system in order to reconfigure the contaminated hosts.
  • Host Takeover — Using the Doki malware the hackers can completely take over the infected servers by taking control or stealing the stored files.

If you are running a Docker container we recommend that a thorough security check is made. Review the permissions of the folders and file systems in order to see if anyone else besides you has access to the stored data.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.