This odd malware is targeting Docker hosts - in order to boost web traffic

News
By Sead Fadilpašić
published

Compromised Docker hosts are being used to run 9hits

Docker
(Image credit: Flickr)

Vulnerable Docker hosts are being targeted with an odd cybercrime campaign, whose goal isn’t to steal sensitive data, deploy stage-two malware, or mount devastating Distributed Denial of Service (DDoS) attacks. 

Instead, this campaign’s goal is to boost website traffic for the attackers, via an application known as 9hits.

According to researchers from Cado Security, 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves. 

XMRig for good measure

"This is the first documented case of malware deploying the 9hits application as a payload," Cado Security said in its report. 

To install 9hits, the attackers must first gain access to the vulnerable Docker hosts. At this time, Cado’s researchers don’t know for certain how hackers reach these instances, but are speculating they’re scanning the network with Shodan and then using the Docker API to deploy malicious containers. 

But that’s not all. The threat actors sought to maximize the use of the resources, so besides 9hits, they also deployed XMRig. This is a popular cryptocurrency miner that takes up significant resources (compute power, electrical power, internet) to generate the Monero (XMR) currency. As a result, the compromised Docker hosts are unable to complete the tasks they were supposed to be doing. 

"The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left," the report further states. Monero is a popular choice for cybercriminals as it’s practically impossible to trace. Furthermore, XMRig connects to a private mining pool, meaning the researchers couldn’t even determine how much money was generated. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.