Doki stays under the radar and exploits Dogecoin blockchain in a distinct manner to create C2 domain address and gain access to cloud servers. It is employed using a botnet named Ngrok.
Malware uses these domain addresses to find more vulnerable cloud servers within the victim’s network. Intezer’s research report offers addition details about the attack:
“The attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly.”
Intezer has pointed out that unauthorized deployment of crypto based malware could be quite effective, while evading law enforcement agencies and cyber security products.
According to Intezer, it is one of the main reasons for Doki to stay undetected for more than six months, in spite of getting listed in the VirusTotal database in January.
The research report also underlined that the attack “is very dangerous”:
“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”
Of late, the risk investigation team at Cisco Systems identified a cryptojacking botnet, referred to as “Prometei.” This botnet mines Monero (XMR) and swindles info from the attacked system.