Shulou(Shulou.com)05/31 Report--

Editor to share with you what the undetectable Linux backdoor is, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's learn about it!

The Ngrok mining botnet activity is scanning for misconfigured Docker API endpoints on Internet and has infected countless servers with new malware.

It is true that the Ngrok mining botnet has been active for the past two years, but the difference is that the new activity focuses on misconfigured Docker servers and uses them to run malicious containers with encrypted miners on the victim's infrastructure.

This new multithreaded malware is called "Doki".

Doki, known as a completely undetectable Linux backdoor, mainly uses an unrecorded method to contact its operator through the dogcoin (a cryptocurrency) block chain to dynamically generate its C2 domain address.

According to the researchers, Doki

You can execute commands issued from the operator

Real-time dynamic generation of its C2 domain using Dogecoin cryptocurrency block chain browser

Use embedTLS library for encryption and network communication

Create unique URL with a short life cycle and use them to download payloads during attacks

In addition, the attacker also managed to bind the newly created container to the root of the server, causing the host to access or modify any files on the system, causing damage.

By using the binding configuration, an attacker can also control the host's cron tool, thereby modifying the host's cron to perform the download payload every minute.

Container escape technology gives attackers complete control over the victim's infrastructure, so the threat of Doki is evident. In addition, Doki also uses scanning tools such as zmap, zgrap and jq to further scan the ports related to Redis,Docker,SSH and HTTP in the network using the infected system, which poses a greater threat.

Although Doki was uploaded to VirusTotal on January 14, 2020 and scanned several times since then, it managed to hide for more than six months. Surprisingly, it still cannot be detected by any of the 61 top malware detection engines.

Therefore, it is recommended that users and organizations running Docker instances do not set Docker API to public access, or ensure that Docker is accessed only from trusted networks or VPN.

The above is all the contents of the article "what is the undetectable Linux backdoor?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.