Doki Trojan
Linux malware was once considered a rare occurrence, and most cybercriminals were not experimenting with threats that were compatible with what is considered to be one of the most secure operating systems. Unfortunately, the number of the Linux malware has increased drastically over the past decade, and nowadays, it is not uncommon to see pieces of malware that are compatible with both Linux and Windows. The newly spotted Doki Trojan, for example, targets Linux servers exclusively. It is usually deployed alongside cryptocurrency mining malware, and the purpose of Doki is to ensure that the miner will be able to operate safely. To guarantee this, Doki may look for other cryptocurrency miners and terminate them, and also make sure to redeploy the miner in case it gets removed or terminated.
The Doki Trojan and the miner that accompanies it were installed on exposed Docker installs exclusively – recently, the popular server management framework has become an attractive target for cybercriminals, and we have seen high-profile threats like the Kinsing malware exploiting its weaknesses. The gang behind the Doki Trojan is no different, and they scan the Internet for unsecured Docker installations that can be exploited.
The Doki Trojan Fetches Control Server Addresses via Doge Cryptocurrency Transactions
The Doki Trojan is not that different from other backdoor Trojans dedicated to making sure that a cryptocurrency miner continues to run on a compromised server. However, it has one very special trait concerning the method it uses to communicate with the Command and Control server. It relies on a Domain Generation Algorithm (DGA) to determine the control server address – however, it does not use the typical algorithm seen in other malware families. The Doki Trojan relies on the Dogecoin API, and a Doge cryptocurrency wallet managed by the attackers. The Trojan pings the Dogecoin API periodically to check if the hardcoded wallet has any outgoing transactions – if there are new transactions, the Doki Trojan will encode the transaction ID via SHA256, and then use the first 12 characters of the result as a sub-domain registered with Ddns.net. This means that whenever the Doki Trojan operators want to switch to a new control server address, they need to send some Doge from their wallet simply.
If you are the administrator of a Docker server, you need to take the necessary precautions to secure the management console by using secure login credentials – cybercriminals prey on poorly secured Docker servers, and usually use their unauthorized access to plant cryptocurrency mining malware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.