A new study shows that hackers are actively using the Dogecoin blockchain to extend the deployment of a malware named "Doki".
According to cybersecurity researchers at Intezer, Doki is a completely undetected "backdoor", abusing the Dogecoin blockchain to create C2 domain addresses and attack cloud servers. They are deployed through a botnet called Ngrok.
Domain addresses are used by malware to search for additional vulnerable cloud servers in the victim's network. Intezer researcher explained more about deploying the attack:
An attacker controlling the malware address will contact by transferring a specific amount of Dogecoin from his wallet. Because only the attacker has control over the wallet, only he can control when and how much dogecoin needs to transfer, and thus transfer the domain name accordingly.
Intezer said that the use Dogecoin to deploy a malware that is not related to cryptocurrencies may have created a sure "front" to cover the public eye. That's why Doki has gone undetected for more than six months, despite being on the VirusTotal database back in January.
Research emphasizes that such an attack is very dangerous:
Our evidence shows that it takes only a few hours for the Docker server's configuration to be changed due to this malware.
Not stopping, recently, the threat investigation team at Cisco Systems discovered a new encrypted botnet called "Prometei". This botnet both exploits Monero and steals data from the targeted system.