Select Page

Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.

Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows designed to make it easier for developers to create, test, and run their applications in a loosely isolated environment called a container.

According to the latest research Intezer shared with The Hacker News, an ongoing Ngrok mining botnet campaign scanning the Internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware.

While the Ngrok mining botnet is active for the past two years, the new campaign is primarily focused on taking control over misconfigured Docker servers and exploiting them to set up malicious containers with cryptominers running on the victims’ infrastructure.

Dubbed ‘Doki,’ the new multi-threaded malware leverages “an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal.”​

images from Hacker News