Dogecoin used to deploy malware for 6 months

Hackers have been exploiting the Dogecoin network to deploy a malware payload known as Doki, a new report has revealed. The report claims that the hackers have now been targeting their victims for six months but have managed to stay under the radar.

Doki is a new malware payload that the hackers have been deploying to attack Docker servers, the report by cybersecurity firm Intezer revealed. Unlike previous payloads targeting Docker servers, Doki uses the Dogecoin network to generate its C2 domain address.

Doki is an undetected backdoor for Linux systems, used to execute code by the hackers. It utilizes a unique domain generation algorithm based on Dogecoin, the report revealed. Being multi-threaded, it creates a separate thread upon execution, allowing it to handle all C2 communications.

The hackers are able to control which address the malware contacts by transferring a specific amount of Dogecoin from their digital currency wallet. By controlling the wallet, the hacker is able to switch the domain at will.

The use of the Dogecoin database has given Doki an edge over other malware payloads, the report claimed, stating, “Since the blockchain is both immutable and decentralized, this novel method can prove to be quite resilient to both infrastructure takedowns from law enforcement and domain filtering attempts from security products.”

Doki is deployed through the Ngrok botnet. This highly-effective botnet has been in operation for over two years now. It targets misconfigured Docker API ports and infects them in just a few hours.

Doki has been quite elusive, going for over six months undetected, the report states. This is despite having been uploaded to VirusTotal, a cyber-threat aggregation and analysis platform, on January 14 this year and being scanned multiple times since.

Intezer urged all companies owning container servers in the cloud to fix their configuration to prevent exposure.

Doki isn’t the first malware to exploit a blockchain. In September 2019, Trend Micro discovered that the Glupteba malware was using the BTC blockchain to keep itself alive. If a command and control (C&C) server was shut down, the hackers simply sent a BTC transaction with a new C&C server coded into the OP_RETURN field.