A new campaign is focusing on vulnerable Docker services, in which the threat actors are using the XMRig cryptocurrency miner and the 9Hits Viewer software as part of a multi-pronged monetization strategy.
According to cloud security firm Cado,” This is the first documented instance of malware deploying the 9Hits application as a payload,” the development is evidence that adversaries are constantly looking for new ways to exploit compromised hosts for financial gain.
9Hits promotes itself as a “unique web traffic solution” and an “automatic traffic exchange” that enables service users to direct traffic to their websites in exchange for credit purchases.
A program called 9Hits Viewer, which uses a headless Chrome browser instance to visit websites that other members have requested and for which they receive credits in exchange for driving traffic to their websites, is used to achieve this.
It is currently unknown how the malware was distributed to vulnerable Docker hosts, but it is thought to have involved using search engines like Shodan to look for potential targets.
The servers are then compromised to use the Docker API to deploy two malicious containers and retrieve off-the-shelf images for the XMRig and 9Hits software.
According to security researcher Nate Bill,” This is a common attack vector for campaigns targeting Docker, where instead of fetching an individual image for their purposes, they pull an overall image from the dockerhub ( which will almost always be accessible ) and leverage it to their needs.”
After authenticating with 9Hits using their session token and obtaining the list of websites to visit, the attacker can run code that generates credits.
The scheme has also been set up by the threat actors to allow access to adult websites or websites that display popups but not to access websites related to cryptocurrencies.
It is impossible to estimate the campaign’s size and profitability because the other container is used to operate an XMRig miner that connects to a private mining pool.
Resource exhaustion is the main effect of this campaign on compromised hosts, according to Bill, as the XMRig miner will use all available CPU resources while 9hits will consume a lot of bandwidth, memory, and what little CPU is left.
” As a result, legitimate workloads on infected servers will be unable to function as anticipated. A more serious breach could also result from updating the campaign to leave a remote shell on the system.