New Linux Malware Uses Dogecoin To Target Docker Servers

by | Dec 11, 2022

Security researchers have discovered undetectable Linux Malware that utilizes unknown techniques to remain under the radar and targets publicly accessible Docker servers hosting common cloud platforms, including AWS, Azure, and Alibaba Cloud.

When user organizations migrate off-premises more of their business infrastructure, cybercriminals are becoming increasingly inspired to target cloud environments built on Linux, including Docker servers with misconfigured API ports.

And while crypto-jacking schemes comprise some of the more traditional varieties of such Linux-based malware attacks, researchers have just revealed the discovery of a Docker container attack that distributes a malicious “completely undetectable” backdoor that exploits the Dogecoin cryptocurrency blockchain for dynamic generation of C2 domains.

What is Docker Server?

Docker is a platform designed to facilitate the development, deployment, and running of applications using containers. Containers allow a developer to assemble and deploy an application as one assemble, with all the parts it needs, such as libraries and other dependencies. Through this, the developer may rest assured, thanks to the container, that the program can run on every other Linux machine irrespective of any modified settings that the computer might have that may vary from the computer used to write and check the code.

Docker is sort of like a virtual machine, in a way. But unlike a virtual machine, instead of building a full virtual operating system, Docker allows applications to use the same Linux kernel as the system they are running on and needs only applications to be shipped with items that are not already running on the host. This provides a significant boost in efficiency and reduces application size.

The Docker Servers attack

The vulnerability is aimed at misconfigured containerized cloud environments. The attackers search for and manipulate publicly available Docker API ports to mount their own containers and execute the malware on the infrastructure of the victims. During this attack, the attackers spawn and remove a number of containers.

Any container created during the attack is based on an alpine image mounted with curl. The picture can be seen on the Docker website. The picture is not malicious, but to conduct malicious acts is being exploited. Curl commands are executed by using an image that includes the curl program as soon as the container is up and running.

The benefit of using an image that is open to the public is that the attacker does not need to hide it on Docker hub or other hosting solutions. The attackers may then use an existing image and execute their own logic and malware on top of it.

As mentioned above, however, attackers may build any container that they will use as a container escape method to execute code from the hosting machine. The technique is based on constructing a new container that is achieved by posting a request for a ‘build’ API. The application body includes container configuration parameters. One of the parameters is bind which allows the user to configure which file or directory to mount into a container on the host machine.

Containers that are created during the attack are configured to bind /tmpXXXXXX to the hosting server’s root directory. It ensures that any file on the server filesystem can be accessed and even changed from inside the container, with the appropriate user permissions.

Ngrok is a service that provides secure tunnels to communicate with the public internet from local servers. The attacker exploits Ngrok to create short-lived unique URLs and uses them to access payloads during the attack by transferring them to the image based on curl. The downloaded payload is stored in the file directory /tmpXXXXXX.

Using the attached configuration, the host cron function can be managed by the attacker. The attacker modifies the cron of the host to execute every minute of the downloaded payload. We have observed two types of payloads: one is a script for network scanners and the other is a script for downloaders.

The network scanner checks the ports associated with Redis, Docker, SSH, and HTTP using map, zgrap, and jq.

Using a list of hardcoded IP address ranges, which often belong to cloud servers such as AWS and local cloud providers in international regions (we’ve seen providers from China, Austria, and the UK), the script collects the information and uploads it to another Ngrok URL.

The downloader script is responsible for downloading and installing various malware binaries, which are also one of many well-known crypto miners. We found that a fully undetected portion of malware can be installed too. We have called this malware Doki and in the next section, we will include a technical review.

The attacker has full control over the design of the container that he generates and the files that fall into the container. The attacker can escape from the container he created by using valid API commands and executing any code from inside the server itself.

Increase in Targeting Instances Docker servers Attacks

Moreover, while the C&C framework for Doki malware is something clever and innovative, the real challenge here is the relentless attacks on Docker servers. Docker servers have been steadily attacked by malware operators over the last few months, and in particular by crypto-mining gangs.

Cyber Security firms have documented several different crypto-mining campaigns just over the past month that targeted misconfigured Docker APIs to install new Linux servers where they run crypto-mining malware to make a profit using resources for the victim.

It includes Palo Alto Networks results, and two Aqua studies[1, 2]. In addition, the cyber-security company Trend Micro also posted on a series of attacks in which hackers attacked Docker servers to mount DDoS malware, an unusual case where hackers did not opt for a crypto-mining payload.

All in all, the conclusion here is that businesses using Docker as their cloud platform for virtualization need to ensure that the API of the management interface is not exposed to the internet —a slight misconfiguration that enables third parties to access their Docker installation.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Undetectable Linux Malware Targeting Docker Servers With Exposed APIs … stay under the radar and targets publicly accessible Docker servers hostings.

How to get Microsoft Defender Health on Mac Fleet

Managing Macs for multiple companies gives us the opportunity to work in various environment and detect issues where it occurs first & then implement a solution for all others at the same time. Recently there was a requirement to find if there are MDD instances...

Implementing Machine Learning in IT Support Setup

Machine learning has the potential to revolutionize the way IT support businesses operate. This cutting-edge technology can be applied in a number of ways to improve the efficiency, accuracy, and speed of IT support services. Here are some ways that machine learning...

Benefits of Apple Business Managers

Apple Business Manager is a web-based platform designed to streamline the process of purchasing, deploying, and managing Apple devices within a business organization. It allows IT administrators to manage and distribute Apple devices and apps to their employees,...

Adoption of Macs in Enterprise: A Growing Trend

This image belongs to In recent years, there has been a growing trend of enterprises adopting Macs as their primary desktop and laptop computers. This shift in technology can be attributed to several factors, including...

ESG as future of IT

ESG, or environmental, social, and governance, is becoming increasingly important in the field of IT. As technology continues to advance and play a larger role in our daily lives, companies are being held to higher standards in terms of their impact on the environment...

Secure Your Mac with FileVault

FileVault is a built-in encryption tool for Macs that helps protect your data from unauthorized access by encrypting your hard drive. Enabling FileVault is a simple process that only takes a few minutes, and it can give you peace of mind knowing that your data is safe...

Is outsourcing IT to India is better or keeping it inhouse?

There are pros and cons to both outsourcing IT services to India and keeping IT within the company. Ultimately, the decision to outsource or keep IT in-house will depend on the specific needs and goals of the company, as well as the resources and capabilities...

How to be a good SCRUM Master

In an Agile development team, the Scrum Master is a crucial role that helps the team to work effectively and efficiently. A Scrum Master is responsible for facilitating the team's use of the Scrum framework and ensuring that the team is able to deliver high-quality...

Basics of Enterprise Patch Management

Enterprise patch management is the process of ensuring that all the software and applications within an organization are kept up-to-date with the latest patches and updates. This is important because software and applications are constantly being improved and updated...

Cost saving for enterprises by choosing M1 Macs

The M1 Mac has had a significant impact on the enterprise market since its release. As a highly-efficient and powerful machine, the M1 Mac has proven to be a valuable asset to businesses in a variety of industries. One of the key benefits of the M1 Mac is its improved...

CRM Is A Process, Not A Product! How Can We Make CRM A Successful Tool?

CRM (Customer Relationship Management) is software that allows businesses to manage business relationships and information associated with them. It provides a platform that manages interactions with customers, stores information about them, and automates processes...


Digital Workplace Services

Automated Tasks

 Office IT Support

Intune for Win & Mac

Citrix Virtual Apps

Mac Win iOS Android

Mac & Win Trained