A new and sophisticated malware campaign is targeting vulnerable Docker services, employing a multi-pronged strategy to monetize compromised hosts. In this unique attack, threat actors deploy both the XMRig cryptocurrency miner and the 9Hits Viewer software, marking the first documented case of the 9Hits application being utilized as a payload.
The 9Hits service positions itself as a “unique web traffic solution” and an “automatic traffic exchange,” allowing members to boost traffic to their sites by earning credits through the 9Hits Viewer software. This software, in turn, runs a headless Chrome browser instance to visit websites requested by other members.
While the exact method used to distribute the malware to vulnerable Docker hosts remains unclear, there are suspicions that it involves leveraging search engines like Shodan to scan for potential targets. Once identified, servers are breached to deploy two malicious containers through the Docker API, fetching off-the-shelf images from the Docker Hub library for the 9Hits and XMRig software.
Security researcher highlighted the common attack vector targeting Docker, where attackers opt for generic images from Dockerhub, which are almost always accessible, rather than creating bespoke images for their purposes.
The 9Hits container is then employed to execute code that generates credits for the attacker. It accomplishes this by authenticating with 9Hits using their session token and extracting a list of sites to visit. The attackers have configured the scheme to allow visits to adult sites or those displaying popups while preventing access to cryptocurrency-related sites.
Concurrently, the other container runs an XMRig miner connecting to a private mining pool, making it challenging to ascertain the scale and profitability of the campaign. The primary impact on compromised hosts is resource exhaustion, as the XMRig miner utilizes all available CPU resources, while 9Hits consumes substantial bandwidth, memory, and remaining CPU capacity.
The researcher warns that this campaign could be updated to leave a remote shell on the system, potentially leading to more severe breaches. The overall consequence is a hindrance to legitimate workloads on infected servers, causing them to perform below expectations.
Organizations can enhance security by implementing best practices such as utilizing secure base images, and minimizing the use of unnecessary features. Employ network segmentation to isolate containers and restrict unnecessary communication. MEnsure that security practices extend to the entire development and deployment lifecycle, from image creation to runtime monitoring. Regularly audit and assess containerized applications for vulnerabilities and potential misconfigurations also can help to enchance organization’s cyber security.