In a recent campaign detected by Cado Security, an attack targeting vulnerable Docker services has been revealed that deploys an XMRig miner and the 9hits viewer application on compromised hosts, enabling a double monetization strategy.
The 9hits platform is known for being a web traffic exchange, where members can drive traffic to other users’ sites. In this case, attackers install the 9hits viewer application on compromised Docker hosts to generate fraudulent credits, exploiting the resources of these systems to direct traffic as part of the 9hits peering system.
Cado Security reports that this is the first time the deployment of the 9hits application as a malicious payload has been documented.
Although it is unclear how threat actors find vulnerable systems, Cado suggests that they likely use network scanning tools like Shodan to discover vulnerable servers and compromise them by deploying malicious containers via the Docker API.
Containers use Dockerhub images to reduce suspicion. The propagator script used in Cado’s Docker trap uses the Docker command line interface to set the DOCKER_HOST variable and make typical API calls to pull and run containers.
The 9hits container runs a script (nh.sh) with a session token, allowing it to authenticate and generate credits for the attacker by visiting a list of websites.
The session token system is designed to operate securely even in untrusted environments, allowing the attacker to profit without the risk of being banned.
The other container runs an XMRig miner that mines the Monero cryptocurrency for the attacker, using cloud system resources.
The miner connects to a private mining pool, making it impossible to track the scale or profits of the campaign. Cado notes that the domain used for the mining pool suggests that the attacker could use dynamic DNS services to maintain control.
The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner uses all available CPU resources, while 9hits consumes a large amount of bandwidth, memory, and the little remaining CPU.
Cado Security highlights that this campaign demonstrates that threat actors are constantly exploring alternative monetization channels beyond traditional methods such as cryptocurrency mining, diversifying their attacks and seeking more covert avenues.
Platforms abused by threat actors, such as 9hits, are being called upon to implement stronger security controls and policies that prevent unauthorized use of their applications, which can cause financial damage and disruption to organizations.
Entities investing in cloud computing environments are urged to navigate a complicated landscape, using zero trust models, Cloud Workload Protection Platforms (CWPP) and Cloud Security Posture Management (CSPM). ) to improve visibility, manage configurations, and protect exposed assets.