Doki Malware Report: What is Doki and How Does it Work?

The Doki backdoor uses a unique domain generation algorithm based on the Dogecoin blockchain to generate its C2 domains. It has been used in conjunction with the Ngrok mining botnet in a campaign that has targeted Docker servers in cloud platforms. Doki has been observed to communicate with C2 over HTTPS, download scripts from C2, and execute shell scripts with /bin/sh. It has also been used to bind the host root directory and search for the current process' PID.

Doki Malware Capabilities

Doki may use a variety of methods to exfiltrate data from a compromised system, including using application layer protocols associated with web traffic, copying files from an external system, or breaking out of a container to gain access to the underlying host. Doki may also enumerate files and directories, or search in specific locations for certain information. Additionally, Doki may attempt to get information about running processes on a system.

• Doki is a malware that can exfiltrate data and evade detection by using automated processing, matching or approximating the name or location of legitimate files or resources, and communicating using application layer protocols associated with web traffic.
• Doki may transfer tools or other files from an external system into a compromised environment. This can allow the adversary access to other resources from the host level or to the host itself. Doki may also break out of a container to gain access to the underlying host. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.
• Doki may use a variety of methods to obtain information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. This information may be used to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Additionally, Doki may abuse Unix shell commands and scripts for execution in order to control every aspect of a system. Finally, Doki may leverage external-facing remote services to initially access and/or persist within a network.
• Doki may deploy a container to execute processes or download malware. They may also use Domain Generation Algorithms to dynamically identify a destination domain for command and control traffic, making it harder for defenders to block or track. Finally, Doki may steal data by exfiltrating it over an existing command and control channel.

Ways to Mitigate Doki Malware Attacks

• The Doki malware can be mitigated by monitoring process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Additionally, collecting file hashes and monitoring file names and locations can help to identify files that have been modified by the malware. Finally, analyzing network data for uncommon data flows can help to identify processes that are using the network in suspicious ways.
• The Doki malware can be used to attack containers in a Kubernetes environment. To mitigate these attacks, it is important to monitor for suspicious file activity and network usage. Additionally, cluster-level events associated with changing container volume configurations should be monitored.
• The Doki malware attack can be mitigated in several ways, including system and network discovery techniques, restricting script usage, and capturing scripts from the file system. Authentication logs should be collected and analyzed for unusual patterns of activity.
• The Doki malware attack can be mitigated by monitoring for suspicious or unknown container images and pods, deploying logging agents on Kubernetes nodes, and retrieving logs from sidecar proxies for application pods. Another approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. Analyzing network data for uncommon data flows can also help to detect malicious activity.