This odd malware is targeting Docker hosts - in order to boost web traffic

News
By published

Compromised Docker hosts are being used to run 9hits

Docker
(Image credit: Flickr)

Vulnerable Docker hosts are being targeted with an odd cybercrime campaign, whose goal isn’t to steal sensitive data, deploy stage-two malware, or mount devastating Distributed Denial of Service (DDoS) attacks. 

Instead, this campaign’s goal is to boost website traffic for the attackers, via an application known as 9hits.

According to researchers from Cado Security, 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves. 

XMRig for good measure

"This is the first documented case of malware deploying the 9hits application as a payload," Cado Security said in its report. 

To install 9hits, the attackers must first gain access to the vulnerable Docker hosts. At this time, Cado’s researchers don’t know for certain how hackers reach these instances, but are speculating they’re scanning the network with Shodan and then using the Docker API to deploy malicious containers. 

But that’s not all. The threat actors sought to maximize the use of the resources, so besides 9hits, they also deployed XMRig. This is a popular cryptocurrency miner that takes up significant resources (compute power, electrical power, internet) to generate the Monero (XMR) currency. As a result, the compromised Docker hosts are unable to complete the tasks they were supposed to be doing. 

"The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left," the report further states. Monero is a popular choice for cybercriminals as it’s practically impossible to trace. Furthermore, XMRig connects to a private mining pool, meaning the researchers couldn’t even determine how much money was generated. 

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
ID theft
New Androxgh0st botnet targets vulnerabilities in IoT devices and web applications via Mozi integration
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
Latest in Security
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Trojan
WhatsApp patches security flaw which let hackers install spyware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
More about security
Lock on Laptop Screen

Data breach at Pennsylvania education union potentially exposes 500,000 victims
Trojan

WhatsApp patches security flaw which let hackers install spyware
Amazon cheap tech gadgets under $50

Amazon's latest sale is filled with cheap tech gadgets: here are 16 deals I'd buy under $50
See more latest
Most Popular
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
Living room with Microsoft Xbox Series X (L) and Sony PlayStation 5 home video game consoles alongside a television and soundbar, taken on November 3, 2020.
The PS5 is currently selling faster than the PS4 did in the US, but I'm surprised to discover that the Xbox Series X and S are trailing behind Xbox One
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Samsung Galaxy Tab S9 FE Plus on a desk showing the rear of the device from above
The Samsung Galaxy Tab S10 FE could be a powerful iPad Air rival, based on the latest specs rumors
Trojan
WhatsApp patches security flaw which let hackers install spyware
God of War 20th anniversary vinyl box set.
The God of War 20th anniversary vinyl box set features 13 discs and 150 remastered songs
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way