A newly discovered cyber threat is honing in on susceptible Docker services, employing an inventive strategy that combines the XMRig cryptocurrency miner with the 9Hits Viewer software. In an unprecedented move, cloud security firm Cado reports the deployment of the 9Hits application as a payload, signaling a shift in attackers’ tactics to diversify monetization methods on compromised hosts.
9Hits, marketed as a “unique web traffic solution,” operates on an automatic traffic exchange system. Users earn credits by utilizing the 9Hits Viewer, a tool that employs a headless Chrome browser to visit websites requested by other members. The malware, targeting Docker hosts, utilizes an unclear method of propagation, suspected to involve search engines like Shodan for identifying potential targets.
Upon breaching servers, the attackers deploy two malicious containers via the Docker API, fetching pre-existing images from the Docker Hub library for the 9Hits and XMRig software. This tactic leverages a common attack vector, as opposed to creating bespoke images. The 9Hits container executes code to generate credits for the attacker by authenticating with 9Hits using a session token and extracting a list of sites to visit. The campaign allows visits to certain sites but prohibits cryptocurrency-related ones.
Simultaneously, the other container runs an XMRig miner connecting to a private mining pool, obscuring the campaign’s scale and profitability. The impact on compromised hosts is resource exhaustion, with the XMRig miner utilizing all available CPU resources and 9Hits consuming substantial bandwidth and memory. This results in disrupted legitimate workloads on infected servers. Security researcher Nate Bill warns that the campaign may evolve, potentially leaving a remote shell on the system and causing more severe breaches.
