Security News > 2020 > July > Doki Backdoor Infiltrates Docker Servers in the Cloud

A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control domain names.

The campaign starts with an increasingly common attack vector: The compromise of misconfigured Docker API ports.

Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim's infrastructure.

Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware - but Doki represents an evolution in payload. The Doki attackers are using an existing Ngrok-based botnet to spread the backdoor, via a network scanner that targets hardcoded ranges of IP addresses for cloud providers, such as Amazon Web Services and local cloud providers in Austria, China and the United Kingdom.

After identifying a vulnerable server and gaining entry to a server via the open API, the attackers are setting up publicly available, curl-based images within the Docker Hub.

News URL

https://threatpost.com/doki-backdoor-docker-servers-cloud/157871/