An undetectable Linux malware was uncovered by security researchers which exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
Docker is a platform-as-a-service (PaaS) solution for Linux and Windows which makes it easier for developers to create, test and run their applications in a loosely isolated environment called a container.
There is an ongoing Ngrok mining botnet campaign that scans the Internet for misconfigured Docker API endpoints which has already infected many vulnerable servers with new malware.
The Ngrok mining botnet is active for the last two years, but the new campaign is mainly targeted to taking control over misconfigured Docker servers and exploiting them to set up malicious containers with cryptominers running on the victims’ infrastructure.
The multi-threaded malware which has been dubbed as ‘Doki,’ leverages an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal.
According to researchers, the malware:
- was designed to execute commands received from its operators,
- uses a Dogecoin cryptocurrency block explorer to generate its C2 domain in real-time dynamically,
- uses the embedTLS library for cryptographic functions and network communication,
- crafts unique URLs with a short lifetime and uses them to download payloads during the attack.
The malware makes use of the DynDNS service and a unique Domain Generation Algorithm (DGA) based on the Dogecoin cryptocurrency blockchain in order to find the domain of its C2 in real time.
The actors behind this new campaign were also able to compromise the host machines by binding newly created containers with the server’s root directory, allowing them to access or modify any file on the system.
By using the bind configuration, the attacker can control the cron utility of the host and can alter the host’s cron to execute the downloaded payload every minute.
This kind of attack is dangerous because the attacker uses container escape techniques to attain total control of the victim’s infrastructure.
Once done, the malware also leverages compromised systems to further scan the network for ports associated with Redis, Docker, SSH, and HTTP, using a scanning tool like zmap, zgrap, and jq.
Doki was able to remain under the radar for more than six months even though it was uploaded to VirusTotal on January 14, 2020, and scanned multiple times since. It is surprising to note that the malware is still undetectable by any of the 61 top malware detection engines.
All the users and firms who run Docker instances are recommended to not expose docker APIs to the Internet. Those who do must make sure that it is reachable only from a trusted network or VPN, and only to trusted users to control your Docker daemon.
Those who manage Docker from a web server to provision containers through an API, must be even more careful with parameter checking to make sure that a threat actor cannot pass crafted parameters causing Docker to create arbitrary containers.