Doki: the New Malware that Affects Linux Servers

Any device that is connected to the network can suffer cyber attacks. We are talking about computers, mobile devices, servers… Today we echo Doki , a malware that affects Linux servers that are poorly configured. It is part of the Ngrok Cryptominer Botnet campaign, which has been active since 2018. A new problem that joins all the threats that affect this type of system.

Doki, one more threat to Linux servers

As we say, Doki is a malware that puts Linux servers in check. Specifically, they focus on cloud-based and poorly configured Dockers. In this way, hackers manage to execute their threats.

Doki: the New Malware that Affects Linux Servers

One of the aspects that makes Doki particularly interesting is its dynamic behavior regarding how it connects to its command and control infrastructure. It doesn’t trust a particular domain or malicious IP pool, but instead uses dynamic DNS services like DynDNS. This, coupled with a unique blockchain-based domain generation algorithm, can generate and locate the address of a C2 server in real time.

Keep in mind that it is a malware with very stealthy behavior. In fact, it has not been detected for more than six months, despite the fact that it was sent last January to the VirusTotal malware analysis engine.

Mozi, una nueva amenaza en forma de malware

Few antivirus detect the threat

As of today, according to VirusTotal , only six antivirus engines are capable of detecting this threat. To carry out the attacks, they constantly track Dockers in the cloud with Internet access. So far, Shodan has revealed more than 2,400 of this type running Linux on the Amazon AWS infrastructure.

Now, keep in mind that not all of these cloud containers are going to be vulnerable. However they are an example of those that could be exploited by hackers if they were.

Once they identify publicly accessible Docker ports , attackers begin generating their cloud instances in these environments, and sometimes delete existing ones.

According to security researchers, the advantage of using a publicly available image is that the attacker does not need to hide it in Docker Hub or other hosting solutions. Instead, attackers can use an existing image and run malware on it.

They use third-party services to run the payload, as we’ve mentioned. It is part of the Ngrok Cryptominer Botnet campaign.

In short, this malware called Doki can put wrongly configured Linux servers at risk. It is always very important to have all the necessary configuration to protect our systems and avoid leaving the equipment exposed. In addition, it will also be essential that they are updated correctly. In many occasions vulnerabilities arise that can be exploited by cyber criminals and we can avoid this with patches.