The first malware with Dogecoin
The first malware with Dogecoin
Security

The first malware with Dogecoin

By Alfredo de Candia - 30 Jul 2020

Chevron down
Listen this article
download

A recent report by Intezer, a company that detects malware and cyber attacks, found that a new method is being used to mine the Dogecoin crypto through a malware.

This is a server-side attack on platforms like Amazon’s AWS and Microsoft’s Azure. All of these can be attacked using the Linux operating system and using a blockchain wallet to generate C&C (Command & Control) domain names.

The malware, nicknamed Doki, is not detected by any of the more than 60+ malware tracking engines, despite being analyzed in January this year.

Doki, the malware that mines Dogecoin

It targets Docker configuration via ports and allows criminals to run their software undisturbed.

In addition, the malware uses the DynDNS service and a DGA (Domain Generation Algorithm) based on the Dogecoin crypto to find a C2 domain in real-time.

In detail, this is the process:

  1. Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address}
  2. Perform SHA256 on the value returned under “sent”
  3. Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.
  4. Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net.

There is a botnet behind this type of attack, namely Ngrok, which over time has evolved and become invisible to the most common malware tracking methods and programs.

In fact, there are few solutions that check the server memory for abnormal activity because that’s where the malicious code payloads start.

These software programs include Intezer Protect.

 

Alfredo de Candia
Alfredo de Candia

Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.