Security researchers have uncovered a novel cyber-attack campaign targeting vulnerable Docker services. The attacks mark the first documented case of malware utilizing the 9hits application as a payload.
Discovered by Cado Security Labs, the campaign deploys two containers to the vulnerable Docker instance – a standard XMRig miner and the 9hits viewer application. The latter is employed to generate credits for the attacker on the 9hits platform.
9hits, a platform described as a “Unique Web Traffic Solution,” allows members to purchase credits for website traffic exchange. In this campaign, the 9hits viewer app, typically used to visit websites in exchange for credits, is exploited by malware to benefit the attacker.
The attack begins with the deployment of containers on the vulnerable Docker host over the internet by an attacker-controlled server. While Cado researchers couldn’t access the spreader, they speculated that attackers may have discovered the honeypot through platforms like Shodan. The spreader uses the Docker API to initiate two containers, fetching off-the-shelf images from Dockerhub for the 9hits and XMRig software.
Upon closer inspection of the payload operation, it is revealed that the 9hits container runs a script with a session token, allowing the app to authenticate with 9hits servers and earn credits for the attacker. The XMRig container mines cryptocurrency, utilizing a private mining pool linked to the attacker’s dynamic DNS domain.
The impact on compromised hosts is resource exhaustion, with the XMRig miner consuming available CPU resources and the 9hits app utilizing significant bandwidth, memory and any remaining CPU. This can hinder legitimate workloads on infected servers, potentially leading to more severe breaches.
According to Cado security researcher Nate Bill, the discovery underscores the continuous evolution of attacker strategies to profit from compromised hosts. It also emphasizes the persistent vulnerability of exposed Docker hosts as an entry point.
“As Docker allows users to run arbitrary code, it is critical that it is kept secure to avoid your systems being used for malicious purposes,” reads the advisory.