Doki

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [1]

ID: S0600
Type: MALWARE
Platforms: Linux, Containers
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 06 April 2021
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Doki has communicated with C2 over HTTPS.[1]

Enterprise T1020 Automated Exfiltration

Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Doki has executed shell scripts with /bin/sh.[1]

Enterprise T1610 Deploy Container

Doki was run through a deployed container.[1]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Doki has used the embedTLS library for network communications.[1]

Enterprise T1611 Escape to Host

Doki’s container was configured to bind the host root directory.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Doki has used Ngrok to establish C2 and exfiltrate data.[1]

Enterprise T1133 External Remote Services

Doki was executed through an open Docker daemon API port.[1]

Enterprise T1083 File and Directory Discovery

Doki has resolved the path of a process PID to use as a script argument.[1]

Enterprise T1105 Ingress Tool Transfer

Doki has downloaded scripts from C2.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Doki has disguised a file as a Linux kernel module.[1]

Enterprise T1057 Process Discovery

Doki has searched for the current process’s PID.[1]

Enterprise T1102 Web Service

Doki has used the dogechain.info API to generate a C2 address.[1]

References