According to a recent report published by cybersecurity firm Intezer Labs, the Dogecoin API was abused by hackers to plant an undetected backdoor called "Doki" on Docker serves that run on Linux.
Similarly to other backdoor trojans, the main goal was to gain complete control in order to smoothly run cryptojacking operations.
A unique method
Cryptojacking refers to the practice of gaining unauthorized access to someone’s computer in order to stealthily mine cryptocurrency with the help of an undetectable malware component.
This time around, the attackers relied on the API of dogechain.info, the most popular DOGE block explorer, in order to create its C2 domain.
It is capable of finding these domains automatically by relying on a "unique" DGA algorithm that is based on Dogecoin:
Using this technique the attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly.
Doki had been up and running for over half a year, and the best antivirus software is still incapable of detecting it:
The malware is a fully undetected backdoor. It has managed to stay undetected for over six months despite having been uploaded to VirusTotal on January 14, 2020 and scanned multiple times since.
Cryptojackers continue to thrive
Recently, Doki servers have become a popular target for cybercriminals, but this is the first instance in which Dogecoin is involved.
As reported by U.Today, privacy coin Monero (XMR) is regarded as the darling of cryptojackers, with close to four percent of the coin’s supply being their work.
Back in May, it was revealed that Microsoft SQL database servers had been infected to illegally mine XMR.