Table of Contents
  • Home
  • /
  • Blog
  • /
  • What Cado Says About the New Malicious Docker Malware Campaign?
January 20, 2024

What Cado Says About the New Malicious Docker Malware Campaign?

What Cado Says About The New Malicious Docker Malware Campaign

The security research team at Cado has recently uncovered a novel malware Docker exploit campaign that leverages vulnerable Docker hosts to deploy crypto miners. As reported in the comprehensive study (full report here), this appears to be the first documented case of cybercriminals launching the 9hits traffic platform as part of malware payloads.

This malware attack targets exposed Docker daemons and deploys two containers to perform the malicious activities an XMRig Monero miner and the 9hits viewer application. This campaign highlights how ransomware gangs continue to expand their monetization strategies using crypto-mining malware as well as less common software like 9hits.

Technical Details About This New Malicious Docker Malware Campaign

As per the in-depth analysis by Cado Security Labs researchers, the malicious containers deploy XMRig crypto miner and the 9hits viewer app which leverages headless Chrome to generate traffic and revenue for the attackers.

Attackers seem to be identifying vulnerable Docker hosts using services like Shodan and targeting them using custom scripts that interact with Docker APIs. This allows remotely deploying containers with predefined commands and configurations to initialize infections.

Once deployed, the containers kick off the malicious payloads as background processes:

pid	  ppid	proc	cmd
2379	2358	/bin/bash / --token=c89f8b41d4972209ec497349cce7e840 --system-session --allow-crypto=no
2406	2379	Xvfb	Xvfb :1
2407	2379	9hits	/etc/9hitsv3-linux64/9hits --mode=exchange --current-hash=1704770235 --hide-browser=no --token=c89f8b41d4972209ec497349cce7e840 --allow-popups=yes --allow-adult=yes --allow-crypto=no --system-session --cache-del=200 --single-process --no-sandbox --no-zygote --auto-start
2508	2455	9hbrowser	/etc/9hitsv3-linux64/browser/9hbrowser --nh-param=b2e931191f49d --ssid=<honeypot IP>

While the XMRig process runs Monero mining directing earnings to the attackers private pool, the 9hits container visits websites to generate traffic credits for the owners of the campaigns session tokens.

The report suggests this could allow running 9hits at scale across compromised devices without account hijacking risks. Attackers also seem to have additional controls in place like restricting crypto sites from the 9hits visits.

How Does This Campaign Work?

The in-depth analysis from Cados research team provides intriguing insights into the technical workings of this Docker-based malware operation.

  1. Reconnaissance: The first step involves identifying potential targets by scanning the entire IPv4 space or using search engines like Shodan to find Internet-facing Docker daemon APIs vulnerable to remote command executions.

  2. Intrusion: Next, the attackers use custom scripts that mimic the Docker CLI to connect to exposed daemons and leverage the Docker API to pull images from Docker Hub and deploy them as containers. The running containers establish the initial foothold.

  3. Installation: The containers have pre-configured commands that execute crypto mining (XMRig) and traffic generation (9hits) payload processes when started. This allows the malware processes to launch in the background without altering the hosting servers.

  4. Command & Control: The XMRig instance connects out to the attackers private Monero mining pool to begin hashing and deposit profits. The 9hits container pulls configurations and websites to visit via the attackers session tokens to earn traffic credits.

  5. Persistence: The attackers use dynamic DNS services to keep resolving their IP addresses as the campaign infrastructure, allowing sustained connections with infected containers across compromised devices to maintain persistence.

  6. Impact: By design, the malware payloads monopolize computing resources like CPU, memory, and bandwidth to severely degrade the performance of legitimate workloads on the hosting servers.


Docker Container NameDocker Container Image
Mining pool
Session token

Bottom Line

In conclusion, Cado Securitys report reveals clever exploitation of vulnerable Docker containers and daemon access to deploy crypto miners coupled with unconventional payloads like 9hits traffic viewers. Their ability to operate these malicious apps at scale while avoiding ownership tracking highlights increasingly sophisticated cybercrime toolkits.

The key takeaway for security teams is implementing safe Docker practices, limiting daemon exposure to risky networks, monitoring for unusual container deployments, and having detection systems to uncover emerging malware behaviors like crypto mining and traffic manipulation. As attacks continue to exploit container technologies for covert malware operations, more cybercriminal groups adopting such tactics can be expected.

We hope this post helps you know about the new malicious Docker malware campaign. Please share this post and help secure the digital world. Visit our website, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription