The xlsb attachment downloads a powershell which recover a zip document. Inside, there is the malware (aka Java RAT or jRAT).
Intezer: Cybercrime is treading Doki, a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and target publicly accessible Docker servers
It has been dubbed Doki, and it’s a completely undetectable Linux malware that exploits undocumented techniques. This to stay under the radar and target publicly accessible Docker servers, hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud. Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows designed to make it easier for developers to create, test, and run their applications in a loosely isolated environment called a container. It has been discovered by Intezer cyber security experts, who shared their research with The Hacker News. The new multi-threaded cybercrime malicious code leverages “an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal.”
The cyber security experts: The malicious code uses the DynDNS service and a unique DGA, based on the Dogecoin cryptocurrency blockchain
According the cyber security researchers, the malware: has been designed to execute commands received from its operators, uses a Dogecoin cryptocurrency block explorer to generate its C2 domain in real-time dynamically, and the embedTLS library for cryptographic functions and network communication. Finally, Doki crafts unique URLs with a short lifetime and uses them to download payloads during the attack. “The malware utilizes the DynDNS service and a unique Domain Generation Algorithm (DGA) based on the Dogecoin cryptocurrency blockchain in order to find the domain of its C2 in real time.” Besides this, the cybercrime actors have also managed to compromise the host machines by binding newly created containers with the server’s root directory, allowing them to access or modify any file on the system.