Cado Security researchers have identified a new cyber attack campaign targeting vulnerable Docker servers. The attackers deploy two containers – a standard XMRig cryptocurrency miner and the 9Hits viewer application, typically used for automated traffic exchange. This marks the first instance of malware utilising the 9Hits Traffic Exchange viewer as a payload.

The attackers likely discovered their target servers through services like Shodan, and they employ a script to compromise servers by setting the DOCKER_HOST variable and running the CLI with off-the-shelf images from Dockerhub for the 9Hits and XMRig software. Unlike typical Docker attacks, they do not attempt to break out of the container.

The infection starts with a custom command invoking a Docker container, with the nh.sh process as the entry point. After adding their session token, the 9Hits app authenticates with the attackers' servers, visiting specified websites to earn credits on the 9Hits platform. Remarkably, the session token system is designed for untrusted contexts, allowing the app to run in illegitimate campaigns without risking the attacker's account.

The 9Hits app, a headless Chrome application, is used to visit various websites, excluding crypto-related sites. The attackers disable the app's ability to visit these sites to maintain campaign secrecy. The XMRig deployment uses a private mining pool, impeding analysis of campaign statistics. The attackers use the dscloud domain for dynamic DNS, updated by a Synology server with the attacker's IP, impacting compromised hosts by consuming CPU resources and potentially leaving a remote shell on the system.

The campaign emphasises the persistent threat to Docker hosts, urging the importance of maintaining system security to prevent malicious exploitation and potential serious breaches.

Summary:

Target: Vulnerable Docker servers

• Attack Method:
• Deploy two containers: standard XMRig miner and 9Hits viewer app (used for automated traffic exchange).
• First documented case of malware using 9Hits Traffic Exchange viewer as payload.
• Discovery:
• Attackers likely found servers through services like Shodan.
• Script used to compromise servers by setting DOCKER_HOST variable and running CLI with Dockerhub images for 9Hits and XMRig.
• Infection Process:
• Custom command initiates Docker container, starting with nh.sh process.
• Session token added for authentication with attacker's servers.
• 9Hits app visits specified websites, earning credits on 9Hits platform.
• Unique Aspects:
• Session token system designed for untrusted contexts, allowing malware to run in illegitimate campaigns without compromising the attacker's account.
• 9Hits app (headless Chrome) used for visiting various websites, excluding crypto-related sites.
• XMRig deployment uses a private mining pool to maintain campaign secrecy.
• Infrastructure:
• Dynamic DNS using dscloud domain, updated by Synology server with attacker's IP.
• Impact:
• Targets CPU resources, affecting legitimate workloads.
• Potential for a remote shell on compromised systems.
• Security Consideration:
• Highlights ongoing threat to Docker hosts, underscoring the need for robust system security measures.

Source and further reading.

Ahmed, D. (2024, January 18). Malware Exploiting 9Hits, Turns Docker Servers into Crypto Miners. Hackread - Latest Cybersecurity News, Press Releases & Technology Today. https://www.hackread.com/docker-servers-malware-traffic-boosted-cryptominers/

Toulas, B. (2024, January 18). Docker hosts hacked in ongoing website traffic theft scheme. BleepingComputer. https://www.bleepingcomputer.com/news/security/docker-hosts-hacked-in-ongoing-website-traffic-theft-scheme/