A recent report by Intezer, a company that detects malware and cyber attacks, found that a new method is being used to mine the Dogecoin crypto through a malware.
This is a server-side attack on platforms like Amazon’s AWS and Microsoft’s Azure. All of these can be attacked using the Linux operating system and using a blockchain wallet to generate C&C (Command & Control) domain names.
The malware, nicknamed Doki, is not detected by any of the more than 60+ malware tracking engines, despite being analyzed in January this year.
Doki, the malware that mines Dogecoin
It targets Docker configuration via ports and allows criminals to run their software undisturbed.
In addition, the malware uses the DynDNS service and a DGA (Domain Generation Algorithm) based on the Dogecoin crypto to find a C2 domain in real-time.
In detail, this is the process:
- Query dogechain.info API, a Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address}
- Perform SHA256 on the value returned under “sent”
- Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain.
- Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net.
There is a botnet behind this type of attack, namely Ngrok, which over time has evolved and become invisible to the most common malware tracking methods and programs.
In fact, there are few solutions that check the server memory for abnormal activity because that’s where the malicious code payloads start.
These software programs include Intezer Protect.
