Researchers uncover a new Linux malware Doki that uses Dogecoin API to find C&C server addresses


Security researchers have discovered a new Linux malware Doki that uses Dogecoin API to find C&C server addresses

Security researchers from Intezer Labs found out a new untraceable Linux malware strain in Docker-based machines that has the ability to exploit undocumented techniques without being detected using public exposed APIs by abusing Ngrok. The new malware is found in the docker systems so the researchers have dubbed it as Doki.

According to, Docker is an open-source project that automates the deployment of applications inside Linux Containers and provides the capability to package an application with its runtime dependencies into a container. It provides a Docker CLI command-line tool for the lifecycle management of image-based containers. Linux containers enable rapid application deployment, simpler testing, maintenance, and troubleshooting while improving security.

The Malware dubbed as Doki is a multi-threaded malware that supports an undocumented method to contact its operator by abusing the Dogecoin API in order to dynamically generate its C2 domain address. According to Intezer Labs researchers, the strain is being exploited by Ngork as in the recent attacks carried out by the Ngrok group this year, the hackers have targeted Docker installations where the management API has been left exposed online.

Each container that is created during the attack is based on an alpine image with curl installed. The image is available on the Docker hub. The image is not malicious but rather it’s being abused to carry out malicious activities. By using an image that contains the curl software, curl commands are executed as soon as the container is up and running.

Intezer Labs

The attacker after creating the Container on the target machine binds /tmpXXXXXX directory to the root directory leading to an ability every file on the server’s filesystem can be accessed and even modified, with the correct user permissions, from within the container.

The attacker abuses Ngrok to craft unique URLs with a short lifetime and uses them to download payloads during the attack by passing them to the curl based image. The downloaded payload is saved in /tmpXXXXXX directories in the container.

The researchers have also recommended you run their YARA rule on the Syslog file of your Docker server to check if you have been infected by this campaign. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments