Security researchers have identified a new malicious campaign targeting Docker services, utilizing a two-fold monetization approach. The attackers deploy both the XMRig cryptocurrency miner and the 9Hits Viewer application, marking a strategic evolution in malware deployment.
According to cloud security specialists at Cado, this incident represents the first known case where the 9Hits application has been used as a part of a malware payload. This shift indicates that cybercriminals are constantly exploring new avenues to monetize compromised systems.
9Hits functions as an “automatic traffic exchange” service. It allows users to generate web traffic for their websites by earning credits. These credits are accumulated through the 9Hits Viewer software, which operates a headless Chrome browser to visit other members’ websites, thereby creating a reciprocal traffic generation system.
The malware’s distribution method to Docker hosts remains unclear, but it likely involves scanning for potential targets using search engines like Shodan. Upon identifying vulnerable servers, the attackers deploy malicious containers through the Docker API, pulling generic images from the Docker Hub library to run the 9Hits and XMRig programs.
Security expert Nate Bill explains that this approach is typical in Docker-targeted attacks. Attackers prefer readily available Docker Hub images, utilizing them for malicious purposes.
The 9Hits container operates by visiting websites to accumulate credits for the attackers. This is achieved by the malware authenticating with 9Hits using the attacker’s session token and systematically visiting listed websites. Interestingly, the configuration allows visits to adult and popup-laden sites while avoiding cryptocurrency-related websites.
In contrast, the second container runs the XMRig miner, which connects to a private mining pool. This setup obscures the full extent and profitability of the campaign.
The primary impact on compromised Docker hosts is significant resource depletion. The XMRig miner aggressively utilizes available CPU power, while the 9Hits application consumes substantial bandwidth and memory, leaving minimal resources for legitimate server tasks. This heavy resource usage can severely impair the performance of legitimate workloads on infected servers.
Furthermore, Nate Bill warns that the campaign could evolve, potentially leaving a backdoor for more severe breaches. Such an update could allow attackers to establish a remote shell on the system, escalating the threat level significantly.