Docker Containers Hijacked for 9hits Traffic and Cryptomining in a Dual-Monetization Attack

Containers and cloud services are consistently targeted by threat actors to compromise organizations and often to mine cryptocurrency. In a new campaign observed by Cado Security, Nate Bill reveals a dual monetization strategy using an XMRig miner and the 9hits viewer application. This marks the first known instance where the 9hits application, a web traffic exchange platform, is being maliciously deployed as part of a malware payload. 9hits operates by having members install a viewer app that uses a headless Chrome instance to visit requested websites, in return for credits. These credits can then be used to drive traffic to the members' own sites. In this campaign, attackers exploit Docker hosts to run the 9hits viewer app, generating credits for themselves while exhausting the resources of the compromised systems. This approach not only leverages the CPU for cryptocurrency mining but also uses significant bandwidth and memory for traffic generation.

The attack begins with threat actors identifying vulnerable systems, possibly using network scanning tools like Shodan. Based on network captures obtained from Cado Security's honeypot, the involved IP addresses have been traced back to China and a hosting service in Japan. It is inferred that these IPs are not typically employed for scanning activities, as they do not appear in known abuse databases. The attackers then deploy malicious containers via the Docker API, pulling images from Dockerhub to maintain a low profile. "In our investigations of campaigns targeting our honeypot, we often find attackers will use a generic Alpine image and attach to it in order to break out of the container and run their malware on the host. In this case, the attacker makes no attempt to exit the container, and instead just runs the container with a predetermined argument," Bill explains.

The 9hits container executes a script with a session token, which is designed to work in untrusted environments, thereby avoiding the risk of the attacker’s account being compromised. This script allows the app to authenticate and generate credits by visiting a list of websites. Additionally, the campaign deploys an XMRig container to mine Monero, utilizing the cloud system’s resources. This container connects to a private mining pool, obscuring the campaign's scale and profit. Cado Security highlights that the domain used for the mining pool indicates the attacker’s use of dynamic DNS services to maintain control.

For cybersecurity detection engineers, the key indicators to monitor include the launch of new containers, execution of specific scripts like nh.sh with session tokens, and the setting of specific arguments in the 9hits app, such as allowing popups or visiting adult sites. The campaign demonstrates an innovative method of exploiting cloud resources, combining traditional cryptomining with traffic generation for profit.