Vulnerable Docker services are being targeted in a novel campaign in which threat actors are deploying the XMRig cryptocurrency miner and 9Hits Viewer software as part of a multi-pronged monetization strategy.
“This is the first documented case of malware deploying the 9Hits application as a payload,” said cloud security firm Cado, adding that the development shows that adversaries are always looking for diverse strategies to exploit victims. Make money on infected hosts.
9Hits promotes itself as a “unique web traffic solution” and “automated traffic exchange” that allows service members to drive traffic to its website in exchange for purchasing credits.
This is accomplished through software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, who can earn points to pay for generating traffic to their websites.
The exact method used to spread the malware to vulnerable Docker hosts is unclear, but it is suspected to involve using search engines such as Shodan to scan for potential targets.
The server was then compromised, two malicious containers were deployed via the Docker API, and ready-made images of the 9Hits and XMRig software were obtained from the Docker Hub repository.
Security researcher Nate Bill said: “This is a common attack vector for attacks against Docker. Instead of obtaining a custom image for their own purposes, they pull a generic image from Dockerhub (which is almost always accessible) and use it to suit their own needs. needs.”
The 9Hits container is then used to execute code that generates points for the attacker by using the session token to authenticate to 9Hits and extract a list of sites to access.
Threat actors have also configured the scheme to allow access to adult websites or websites that display pop-ups, but block access to cryptocurrency-related websites.
Another container is used to run an XMRig miner connected to a private mining pool, so the scale and profitability of this activity cannot be determined.
“The main impact of this campaign on infected hosts is resource exhaustion, as the XMRig miner will use all available CPU resources, while 9hits will use a lot of bandwidth, memory, and whatever CPU resources are left,” Bill said.
“The result of this is that legitimate workloads on compromised servers will not execute as expected. Additionally, the campaign may be updated to leave a remote shell on the system, which may lead to more severe vulnerabilities.”
