Dual Threat: New Campaign Exploits Docker with XMRig and 9hits

A new campaign targeting vulnerable Docker services is deploying the XMRig miner and the 9hits application, enabling a dual monetization strategy on compromised hosts. This marks the first documented instance of the 9Hits application being used as malicious software, according to a report by Cado Security.

9Hits is a traffic exchange system that allows users to attract traffic to their websites. This is achieved through the 9hits viewer application, installed on client devices and operating based on an autonomous instance of the Chrome browser. Users earn points by visiting the sites of other members in the system, which are then spent to attract visitors to their sites. As this is an automated method of increasing website traffic, the resulting traffic is not organic and may not contribute to genuine engagement or conversions.

According to Cado Security, cybercriminals deploy the 9hits viewer application on compromised Docker hosts, exploiting the resources of hacked systems to generate credits for themselves. Vulnerable servers are likely identified using the Shodan network scanner, and then malicious containers are deployed through the Docker API.

The containers are presented in images obtained from Dockerhub to reduce suspicion. The distribution script, recorded in the Cado bait, uses the Docker CLI to set the DOCKER_HOST variable and executes typical API calls to retrieve and launch containers.

One of the containers launches the XMRig miner, which mines Monero cryptocurrency for the attacker, utilizing the resources of the cloud system. The miner connects to a private mining pool, making it impossible to track the scale of the campaign or the profits. It is noted that the domain used for the mining pool suggests the use of dynamic DNS services by the attackers to maintain control.

The 9hits container launches a script (nh.sh) with a session token, allowing it to authenticate and generate credits for the attacker by visiting a list of websites. The session token system is designed for safe operation even in unreliable environments, allowing the hacker to profit without the risk of being banned. The choice of the 9hits application is driven by features such as allowing pop-ups or visiting adult sites, but prohibiting visits to cryptocurrency-related sites.

The primary impact of the campaign on compromised hosts is resource depletion, as the XMRig miner utilizes all available CPU resources, while 9hits consumes a significant amount of bandwidth, memory, and remaining CPU capacity. As a result, workloads on infected servers are unable to function properly.

The discovered campaign demonstrates that cybercriminals are constantly exploring alternative monetization channels beyond traditional methods such as cryptocurrency mining. They diversify their attacks and follow more covert paths. Platforms used by attackers, such as 9hits, require stricter security checks and policies to prevent unauthorized use of their applications, which could lead to financial losses and operational disruptions for organizations.

Entities investing in cloud computing environments must navigate this complex landscape. This requires the use of Zero Trust models, Cloud Workload Protection Platforms (CWPP), and Cloud Security Posture Management (CSPM) to improve visibility, manage configurations, and protect assets vulnerable to attack.