A recently launched campaign aimed at vulnerable Docker services installs both an XMRig miner and the 9hits viewer app on compromised hosts, enabling a dual monetization approach.
9hits functions as a web traffic exchange platform, facilitating members to boost traffic to one another’s websites.
Members achieve this by using the 9hits viewer app, installed on their devices, which employs a headless Chrome instance to visit websites requested by fellow members. Consequently, users accrue credits, which can then be utilized to increase traffic to their own sites.
In a campaign uncovered by Cado Security, attackers exploit Docker hosts by deploying the 9hits viewer app on compromised systems. This allows them to generate credits illicitly, leveraging the resources of these compromised hosts to manipulate the 9hits traffic exchange system for their benefit.
Latest Docker Malware
The method by which threat actors discover systems to breach is unclear, but Cado suggests that the attackers may employ a network scanning tool, such as Shodan. This allows them to identify vulnerable servers and breach them, deploying malicious containers through the Docker API.
Containers are sourced from Dockerhub images to minimize suspicion. The spreader script, identified in Cado’s Docker honeypot, utilizes Docker’s CLI to establish the DOCKER_HOST variable and employs standard API calls to fetch and execute the containers.
Within the 9hits container, a script (nh.sh) with a session token is executed. This enables authentication, empowering the container to generate credits for the attacker by visiting a specified list of websites.
The session token system is engineered to function securely, even in untrusted environments. This design enables the attacker to generate profit without the risk of being banned.
The attackers have configured specific parameters for the 9hits app, permitting actions like popups or visits to adult sites but prohibiting access to cryptocurrency-related sites.
Meanwhile, the second container operates an XMRig miner, extracting Monero cryptocurrency on behalf of the attacker and utilizing the resources of the cloud system.
The miner links to a private mining pool, rendering the tracking of the campaign’s scale or profits unfeasible. Cado observes that the domain associated with the mining pool indicates the potential use of dynamic DNS services for ongoing control.
Cado Security notes in the report, “The primary impact of this campaign on compromised hosts is resource exhaustion. The XMRig miner consumes all available CPU resources, while 9hits utilizes significant bandwidth, memory, and any remaining CPU capacity.”
As a consequence, legitimate workloads on infected servers will experience disruptions in their expected performance. The campaign unveiled by Cado underscores the continuous exploration by threat actors into alternative monetization channels, extending beyond conventional methods like cryptomining. This diversification reflects a strategic shift towards more covert avenues in their attacks.
Platforms exploited by threat actors, like 9hits, require enhanced security checks and policies to thwart unauthorized usage of their applications. This preventive measure is essential to mitigate the potential financial damage and disruptions inflicted upon organizations.
IoCs
| Docker Container Name | Docker Container Image |
| faucet | 9hitste/app |
| xmg | minerboy/XMRig |
| Mining pool |
| byw.dscloud.me:3333 |
| Session token |
| c89f8b41d4972209ec497349cce7e840 |
Leave A Comment