Armed with an undetectable strand of malware, attackers are targeting misconfigured cloud-based docker instances running on Linux distributions. The malware strand that is dubbed as Doki is a part of Ngrok Cryptominer Botnet campaign that has been active since 2018.
The malware dynamic behavior regarding how it connects to its command and control (C2) infrastructure makes it very interesting. Since, Doki uses dynamic DNS services like DynDNS, as opposed to relying on a particular domain or set of malicious Ips. It can also generate and locate the address of its C2 server in real-time and “phone home” after combining it with a unique blockchain-based Domain Generation Algorithm (DGA).
Due to its highly stealthy behavior, the malware went undetected for over six months.
Mechanics of its Attack
To execute their malicious campaign, threat actors actively search for exposed Internet-accessible Docker cloud instances. A search engine for the internet-connected devices reveals over 2,400 such instances running Linux on Amazon AWS infrastructure. However, that does not necessarily suggest all these containerized cloud environments are vulnerable.
The attackers are using a legitimate “alpine-curl” image to set up their instances and then run the malicious code through it, all while flying under the radar.
the attacker doesn’t need to hide it on Docker hub or other hosting solutions since they are using a publicly available image. They can also use an existing image and run their logic and malware on top of it.
The attackers must create a container and escape outside of the container to exploit the server and execute code on the hosting machine. As also leveraged by other attacks, the trick of mounting a network drive also does the job.
This technique is based on the creation of a new container by posting a request to create a new API. The body of the request contains configuration parameters for the container. A parameter called Blind lets the user configure which file or directory on the host machine to mount into a container.
When the process is done correctly it will enable the attacker to access and modify every file on the hosting machine’s filesystem from within their newly created container.
The attacker downloads the malicious payload and configures the host’s cronjob utility, run the payload every minute, by using third party services such as Ngrok.
Equipped with state-of-the-art network scanning and reconnaissance tools such as map, zgrap, and jq, the payload starts identifying other targets running services like Redis, Docker, SSH, and HTTP.
This information is then passed to another Ngrok URL so that various malware binaries and crypto-miners be dropped on the target machines.
The standout part during the entire attack process is the attacker being able to obtain total control of not only their newly-created container image but the server instance as well, due to the legitimate API commands they can run.
Reaching Home
The malware generates its C2 domain by querying a legitimate Dogecoin cryptocurrency explorer. It looks for a value of Dogecoins sent out from an attacker, controlled “hardcoded wallet address.”
The first 12 hex characters from a SHA256 digest of this value will serve as the C2 domain address hosted on DynDNS. However, there is also a silent kill command, if the attacker has sent no Dogecoins out of this wallet, the sent value returned by dogechain.info would be “0.00000000”.
The malware is aware of the value the SHA256 digest would start with and is programmed to halt execution should it generate this particular C2 domain during its workflow.
Since the attacker uses container escape techniques to gain full control of the victim’s infrastructure, the malware attack is deemed as highly dangerous. The procured evidence also indicates that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.
The Indicators of Compromise (IOCs) associated with the sample have been provided by researchers in their report, details of which have been shared below.
IOCS
Checksum (SHA-256): 4aadb47706f0fe1734ee514e79c93eed65e1a0a9f61b63f3e7b6367bd9a3e63b
Possible filename(s): 8656be257806daee79e96a4102798abbg
Domain: 6d77335c4f23[.]ddns[.]net
To read more, please check eScan Blog