Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This odd malware is targeting Docker hosts - in order to boost web traffic

Docker.

Vulnerable Docker hosts are being targeted with an odd cybercrime campaign, whose goal isn’t to steal sensitive data, deploy stage-two malware, or mount devastating Distributed Denial of Service (DDoS) attacks. 

Instead, this campaign’s goal is to boost website traffic for the attackers, via an application known as 9hits.

According to researchers from Cado Security, 9hits is a web traffic exchange platform, where users can drive traffic among themselves. When a user installs 9hits, their device visits other members’ websites via a headless Chrome instance. In exchange, the user receives credits which they can then spend to drive traffic to their own sites. By installing 9hits on compromised Docker instances, the attackers generate additional credits which they can then exchange for more traffic for themselves. 

XMRig for good measure

"This is the first documented case of malware deploying the 9hits application as a payload," Cado Security said in its report. 

To install 9hits, the attackers must first gain access to the vulnerable Docker hosts. At this time, Cado’s researchers don’t know for certain how hackers reach these instances, but are speculating they’re scanning the network with Shodan and then using the Docker API to deploy malicious containers. 

But that’s not all. The threat actors sought to maximize the use of the resources, so besides 9hits, they also deployed XMRig. This is a popular cryptocurrency miner that takes up significant resources (compute power, electrical power, internet) to generate the Monero (XMR) currency. As a result, the compromised Docker hosts are unable to complete the tasks they were supposed to be doing. 

"The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left," the report further states. Monero is a popular choice for cybercriminals as it’s practically impossible to trace. Furthermore, XMRig connects to a private mining pool, meaning the researchers couldn’t even determine how much money was generated. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.