Hackers are using Dogecoin, the meme-themed cryptocurrency that recently experienced a bull run thanks to TikTokkers, to help expand a malware botnet.
A new exploit called Doki is piggybacking on software that targets unprotected Docker containers. By pointing their botnet at a specific Dogecoin wallet, hackers are changing the command and control addresses for various infected Linux machines, ensuring no one can take over and stop the network.
“Recently, we have detected a new malware payload that is different from the standard cryptominers typically deployed in this attack. The malware is a fully undetected backdoor which we have named Doki,” wrote security researchers at Intezer. “Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address.”
The system, while convoluted, is fairly ingenious. Because you don’t want to allow someone to take over your C&C infrastructure, a botnet has to transmit new domain names to nodes whenever the system is compromised. Sometimes this is address is hardcoded into the botnet, or users can change it manually via a remote connection. Neither solution is ideal from the botnet operator’s point of view as it can identify the hacker to authorities.
This new system looks at a certain Dogecoin wallet and watches for transactions. The system encodes these transactions, extracts a snippet of each, and then creates a new domain—something like “6d77335c4f23[.]ddns[.]net”—that the botnet controller can use to manage the infected servers. Because it is based on a secure and tamper-proof crypto wallet, there is no way to tell what the next C&C server will be called.
“Using this technique the attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly. Additionally, since the blockchain is both immutable and decentralized, this novel method can prove to be quite resilient to both infrastructure takedowns from law enforcement and domain filtering attempts from security products,” wrote researcher Nicole Fishbein.
It just goes to show you that the blockchain is good for something—crime!