The Linux operating system is considered to be the most secure out there. Not many regular users utilize the Linux operating system, so cybercriminals are not overly eager to create malware that targets this particular OS. However, over a couple of years, the instances of malware that targets the Linux OS have increased significantly. Furthermore, some advanced projects target both Linux and Windows, which boosts the threats' reach considerably.
Malware analysts have identified a brand-new threat recently, which is designed to go after systems that run the Linux OS only. The name of the threat is Doki Trojan. It would appear that the Doki Trojan is being distributed in combination with a cryptocurrency miner. The Doki Trojan is designed to ensure that the aforementioned cryptocurrency miner works as intended. Once the Doki Trojan is deployed on the host, it will locate any other cryptocurrency miners that may be present on the system and terminate them. This way, the Doki Trojan ensures that all the host's computing power is going towards the cryptocurrency miner planted alongside the threat. The Doki Trojan also is able to detect whether the cryptocurrency miner it is responsible for has been terminated and launch it again immediately.
The gang behind the Doki Trojan has so far executed attacks against a very specific set of targets - the common thing between all servers affected by Doki's attack is that they were running Docker, a popular software-building platform. There were previous occasions that the cybercriminals targeted the Docker service - earlier this year, we reported the Kinsing malware that also targeted Docker servers exclusively. It is important to add that Docker is not vulnerable, and the attackers are not relying on exploits to gain unauthorized access. Instead, the criminals behind the Doki Trojan scan the Web for poorly secured Docker installations that are accessible.
There are other threats similar to the Doki Trojan, whose purpose is to ensure that cryptocurrency miners are running as intended. However, the Doki Trojan has an interesting trait – this threat communicates with the C&C (Command & Control) server of the attackers via the Dogecoin API. It uses a DGA (Domain Generation Algorithm) to generate the C&C server address. The cryptocurrency miner planted alongside the Doki Trojan mines for the Doge cryptocurrency. All the generated funds are transferred to the cryptocurrency wallet of the attackers. The Doki Trojan checks for new transactions periodically, and if any are detected, this threat will encode the transaction ID using the SHA256 algorithm. The first twelve characters are then used to register a sub-domain with Dnds.net.
All administrators of Docker servers need to be very wary of the Doki Trojan. Make sure your server is protected and secure – use strong login credentials and anti-malware utilities.