Doki Backdoor

Doki is a backdoor trojan that enrols exposed Docker containers into a cryptocurrency mining botnet.

Threat ID:: CC-3584
Category:: Backdoor
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 30 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Doki is a backdoor trojan that enrols exposed Docker containers into a cryptocurrency mining botnet.

Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Doki is a backdoor trojan created by the Ngrok advanced persistent threat (APT) group that targets insecure Docker cloud instances.

Delivery

Security researchers have observed Doki remotely deployed to Docker installations where the management API has been left publicly exposed.

Activities

Doki uses a domain generation algorithm (DGA) that queries the Dogecoin cryptocurrency API to determine the command and control (C2) server domain to use. The domains are hosted on DynDNS and Ngrok can effectively change the C2 domain in use by making a transaction from a Dogecoin wallet they control.

Compromised systems are enrolled into Ngrok's cryptocurrency mining botnet.

Remediation advice

Container server administrators should ensure that API ports are not publicly exposed. A compromise can be detected by monitoring for exposed ports, foreign or unknown containers, and excessive usage of resources.

Indicators of compromise

Host indicators

File Hash (SHA-256)

4aadb47706f0fe1734ee514e79c93eed65e1a0a9f61b63f3e7b6367bd9a3e63b

Network indicators

Command and control (C2) server domain

6d77335c4f23[.]ddns[.]net

Last edited: 30 July 2020 4:50 pm