While Linux malware was once sitting on the fringes of the malware ecosystem, today, new Linux threats are being discovered on a weekly basis.
The latest finding comes from Intezer Labs. In a report shared with ZDNet this week, the company analyzed Doki, a new backdoor trojan they spotted part of the arsenal of an old threat actor known for targeting web servers for crypto-mining purposes.
The threat actor, known as Ngrok because of its initial penchant for using the Ngrok service for hosting control and command (C&C) servers, has been active since at least late 2018.
Intezer Labs researchers say that in recent attacks carried out by the Ngrok group this year, the hackers have targeted Docker installations where the management API has been left exposed online.
The hackers abused the Docker API to deploy new servers inside a company's cloud infrastructure. The servers, running a version of Alpine Linux, were then infected with crypto-mining malware, but also Doki.