How Doki Malware Exploits Misconfigured Docker APIs to Mine Cryptocurrency

Overview

The Ngrok mining botnet actively scans the public Internet for Docker Engine API endpoints that are exposed without authentication. When a vulnerable endpoint is found, the botnet deploys a new Linux‑based backdoor malware family named Doki .

Malware Characteristics

Command‑and‑Control (C2) : Doki uses the Dogecoin blockchain as a covert channel. By querying the blockchain explorer, the malware dynamically generates short‑lived domain names that point to its C2 servers.

Encryption : Network traffic and payload delivery are protected with the embedTLS library, providing TLS‑like confidentiality without requiring certificate management.

Payload Delivery : The malware creates unique, time‑limited URLs (often valid for only a few minutes) to download additional stages or mining binaries.

Host File System Access : After a container is launched, Doki binds the container’s filesystem to the host’s root directory (e.g., using -v /:/hostfs). This gives the attacker unrestricted read/write access to any file on the host.

Cron Manipulation : The attacker modifies the host’s cron tables to schedule the downloaded payload for execution every minute, ensuring persistence.

Container Escape : By leveraging privileged mounts and misconfigurations, Doki can break out of the container isolation and gain full control over the underlying host.

Network Reconnaissance : Inside the compromised host, Doki runs scanning tools such as zmap, zgrab, and jq to discover additional services (Redis, Docker, SSH, HTTP) and expand the infection surface.

Attack Flow

Scanning: The botnet uses high‑speed scanners (zmap) to locate Docker API endpoints exposed on TCP port 2375/2376.

Exploitation: It sends unauthenticated Docker API calls to create a new container that runs the Doki binary.

Container Setup: The container is started with a bind‑mount of the host’s root filesystem (e.g., -v /:/hostfs) and with privileged flags.

C2 Initialization: Doki contacts the Dogecoin blockchain to retrieve the current C2 address.

Payload Retrieval: Using a short‑lived URL, the malware downloads a mining payload (often a cryptominer) into the host.

Persistence: The attacker edits /etc/crontab or user crontabs to execute the payload every minute.

Lateral Movement: Inside the compromised host, Doki runs zgrab and jq to probe for other services (Redis, SSH, additional Docker daemons) and repeats the infection cycle.

Detection and Evasion

The initial Doki sample was first submitted to VirusTotal on 14 January 2020. Despite multiple re‑scans, it evaded detection by all 61 major antivirus engines for more than six months, demonstrating a high level of obfuscation and the effectiveness of its blockchain‑based C2.

Mitigation Recommendations

Never expose the Docker Engine API (port 2375/2376) to the public Internet. Restrict access to trusted internal networks or VPNs.

Enable TLS authentication for the Docker API and enforce strong client certificates.

Run Docker daemons with the --icc=false and --userland-proxy=false flags to limit inter‑container communication.

Monitor container creation events and audit bind‑mount usage that maps the host root filesystem.

Implement host‑level intrusion detection (e.g., file integrity monitoring, cron change alerts) to spot unauthorized modifications.

Reference

https://thehackernews.com/2020/07/docker-linux-malware.html