New form of Linux malware has a clever use for the Dogecoin API

As more businesses shift their workloads to cloud environments, Linux threats are becoming increasingly common and cybercriminals have devi...

As more businesses shift their workloads to cloud environments, Linux threats are becoming increasingly common and cybercriminals have devised new tools and techniques to launch attacks against Linux infrastructure.

One technique they often employ is scanning for publicly accessible Docker servers and then abusing misconfigured Docker API ports to set up their own containers and execute malware on their victim's infrastructure. The Ngrok botnet is one of the longest ongoing attack campaigns that leverages this technique and a new report from Intezer Labs shows that it takes only a few hours for a new misconfigured Docker server to be infected by this campaign.

Recently though, the company detected a new malware payload, which they dubbed Doki, that differs from the usual cryptominers typically deployed in this kind of attack. What sets Doki apart from other malware is that it leverages the Dogecoin API to determine the URL of the its operator's command and control (C&C) server.

The malware has managed to remain in the shadows and undetected for over six months despite the fact that samples of Doki are publicly available in VirusTotal.

Doki malware

Once the hackers abuse the Docker API to deploy new servers inside a company's cloud infrastructure, the servers, which run a version of Alpine Linux, are then infected with crypto-mining malware as well as Doki.

According to Intezer's researchers, Doki's purpose is to allow hackers to main control over the servers they've hijacked to make sure that their cryptomining operations continue. However, the new malware differs from other backdoor trojans by using the Dogecoin API to determine the URL of the C&C server it needs to connect to in order to receive new instructions.

Doki uses a dynamic algorithm, known as a DGA or domain generation algorithm, to determine the C&C address using the Dogecoin API. The operators of the Ngrok botnet can also easily change the server where the malware receives its commands from by making a single transaction from within a Dogecoin wallet they control.

If DynDNS happens to receive an abuse report about the current Doki C&C URL and the site is taken down, the cybercriminals only need to make a new transaction, determine the subdomain value and set up a new DynDNS account and claim the subdomain. This clever tactic prevents businesses and even law enforcement from dismantling Doki's backend infrastructure as they would need to take over control of the Dogecoin wallet from the Ngrok first.

Via ZDNet



from TechRadar - All the latest technology news https://ift.tt/3083J4W
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: New form of Linux malware has a clever use for the Dogecoin API
New form of Linux malware has a clever use for the Dogecoin API
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2020/07/new-form-of-linux-malware-has-clever.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2020/07/new-form-of-linux-malware-has-clever.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy