A new study says that hackers are actively relying on the Dogecoin (DOGE) blockchain to expand a malware payload named “Doki.”
It has been reported according to cybersecurity researchers at Intezer that Doki is a fully undetected backdoor that abuses the Dogecoin blockchain “in a unique way” in order to generate its C2 domain address and breach cloud servers. It is deployed through a botnet called Ngrok.
However, these domain addresses are used by the malware to search for additional vulnerable cloud servers within the network of the victim.
Intezer’s study explains:
“The attacker controls which address the malware will contact by transferring a specific amount of Dogecoin from his or her wallet. Since only the attacker has control over the wallet, only he can control when and how much dogecoin to transfer, and thus switch the domain accordingly.”
As per the report, Intezer says that using Dogecoin to deploy a crypto-unrelated malware may be “quite resilient” to both law enforcement and security products. That’s why Doki has managed to stay undetected for over six months, despite having been uploaded to the VirusTotal database in January.
The study highlights that such an attack “is very dangerous.”
Thus, the study concludes:
“Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign.”