S0600 Doki
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the Ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. 1
| Item | Value |
|---|---|
| ID | S0600 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 April 2021 |
| Last Modified | 19 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Doki has communicated with C2 over HTTPS.1 |
| enterprise | T1020 | Automated Exfiltration | Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Doki has executed shell scripts with /bin/sh.1 |
| enterprise | T1610 | Deploy Container | Doki was run through a deployed container.1 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Doki has used the embedTLS library for network communications.1 |
| enterprise | T1611 | Escape to Host | Doki’s container was configured to bind the host root directory.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Doki has used Ngrok to establish C2 and exfiltrate data.1 |
| enterprise | T1133 | External Remote Services | Doki was executed through an open Docker daemon API port.1 |
| enterprise | T1083 | File and Directory Discovery | Doki has resolved the path of a process PID to use as a script argument.1 |
| enterprise | T1105 | Ingress Tool Transfer | Doki has downloaded scripts from C2.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Doki has disguised a file as a Linux kernel module.1 |
| enterprise | T1057 | Process Discovery | Doki has searched for the current process’s PID.1 |
| enterprise | T1102 | Web Service | Doki has used the dogechain.info API to generate a C2 address.1 |