New Docker malware steals CPU for crypto and creates fake website traffic

Docker Malware

Vulnerable Docker services are being targeted in a new campaign in which the threat actors are deploying both the XMRig cryptocurrency miner and the 9Hits Viewer software as part of a multi-pronged monetization strategy.

“This is the first documented case of malware using the 9Hits application as a payload,” said cloud security company Cado. saidThe addition of this development is a sign that adversaries are always looking to diversify their strategies to monetize compromised hosts.

9 hits advertises bills itself as a “unique web traffic solution” and an “automatic traffic exchange” that allows members of the service to drive traffic to their sites in exchange for purchasing credits.

This is accomplished through a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for driving traffic to their sites.

The exact method used to distribute the malware to vulnerable Docker hosts is currently unclear, but it is suspected to involve using search engines such as Shodan to scan for potential targets.

The servers are then hacked to deploy two malicious containers via the Docker API and retrieve ready-made images from the Docker Hub library for the 9Hits and XMRig software.

“This is a common attack vector for campaigns targeting Docker, where instead of pulling a custom image for their purposes, they pull a generic image from Dockerhub (which will almost always be accessible) and use it for their needs,” said security researcher Nate Bill. .

The 9Hits container is then used to execute code to generate credits for the attacker by authenticating to 9Hits using their session token and extracting the list of sites to visit.

The threat actors also configured the plan to allow visiting adult sites or sites that show pop-ups, but prevent visiting sites related to cryptocurrency.

The other container is used to run an XMRig miner that connects to a private mining pool, making it impossible to determine the scale and profitability of the campaign.

“The main impact of this campaign on compromised hosts is resource depletion, as the use,” said Bill.

“The result of this is that legitimate workloads on infected servers may no longer perform as expected. Additionally, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach.”

#Docker #malware #steals #CPU #crypto #creates #fake #website #traffic

Notify of
Inline Feedbacks
View all comments
Previous Post
Ivanti EPMM Vulnerability

US Cybersecurity Agency warns of actively exploited Ivanti EPMM vulnerability

Next Post
MFA Spamming

When security measures go wrong

Related Posts