A new study indicates that hackers are actively relying on the Dogecoin (DOGE) blockchain to expand a malware payload named “Doki.”
According to cybersecurity researchers at Intezer, Doki is a fully undetected backdoor that abuses the Dogecoin blockchain “in a unique way” in order to generate its C2 domain address and breach cloud servers. It is deployed through a botnet called Ngrok.
These domain addresses are used by the malware to search for additional vulnerable cloud servers within the network of the victim.
Intezer’s study explains further about the deployment of the attack:
“The attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly.”
Undetected for over six months
Intezer says that using Dogecoin to deploy a crypto-unrelated malware may be “quite resilient” to both law enforcement and security products. That’s why Doki has managed to stay undetected for over six months, despite having been uploaded to the VirusTotal database in January.
The study highlights that such an attack “is very dangerous”:
“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”
Recently, the threat intelligence team at Cisco Systems discovered a new cryptojacking botnet named “Prometei.” This botnet both mines Monero (XMR) and steals data from the targeted system.