Table of Contents
The security research team at Cado has recently uncovered a novel malware Docker exploit campaign that leverages vulnerable Docker hosts to deploy crypto miners. As reported in the comprehensive study (full report here), this appears to be the first documented case of cybercriminals launching the 9hits traffic platform as part of malware payloads.
This malware attack targets exposed Docker daemons and deploys two containers to perform the malicious activities — an XMRig Monero miner and the 9hits viewer application. This campaign highlights how ransomware gangs continue to expand their monetization strategies using crypto-mining malware as well as less common software like 9hits.
Technical Details About This New Malicious Docker Malware Campaign
As per the in-depth analysis by Cado Security Labs researchers, the malicious containers deploy XMRig crypto miner and the 9hits viewer app which leverages headless Chrome to generate traffic and revenue for the attackers.
Attackers seem to be identifying vulnerable Docker hosts using services like Shodan and targeting them using custom scripts that interact with Docker APIs. This allows remotely deploying containers with predefined commands and configurations to initialize infections.
Once deployed, the containers kick off the malicious payloads as background processes:
pid ppid proc cmd
2379 2358 nh.sh /bin/bash /nh.sh --token=c89f8b41d4972209ec497349cce7e840 --system-session --allow-crypto=no
2406 2379 Xvfb Xvfb :1
2407 2379 9hits /etc/9hitsv3-linux64/9hits --mode=exchange --current-hash=1704770235 --hide-browser=no --token=c89f8b41d4972209ec497349cce7e840 --allow-popups=yes --allow-adult=yes --allow-crypto=no --system-session --cache-del=200 --single-process --no-sandbox --no-zygote --auto-start
2508 2455 9hbrowser /etc/9hitsv3-linux64/browser/9hbrowser --nh-param=b2e931191f49d --ssid=<honeypot IP>While the XMRig process runs Monero mining directing earnings to the attacker’s private pool, the 9hits container visits websites to generate traffic credits for the owners of the campaign’s session tokens.
The report suggests this could allow running 9hits at scale across compromised devices without account hijacking risks. Attackers also seem to have additional controls in place like restricting crypto sites from the 9hits visits.
How Does This Campaign Work?
The in-depth analysis from Cado’s research team provides intriguing insights into the technical workings of this Docker-based malware operation.
Reconnaissance: The first step involves identifying potential targets by scanning the entire IPv4 space or using search engines like Shodan to find Internet-facing Docker daemon APIs vulnerable to remote command executions.
Intrusion: Next, the attackers use custom scripts that mimic the Docker CLI to connect to exposed daemons and leverage the Docker API to pull images from Docker Hub and deploy them as containers. The running containers establish the initial foothold.
Installation: The containers have pre-configured commands that execute crypto mining (XMRig) and traffic generation (9hits) payload processes when started. This allows the malware processes to launch in the background without altering the hosting servers.
Command & Control: The XMRig instance connects out to the attacker’s private Monero mining pool to begin hashing and deposit profits. The 9hits container pulls configurations and websites to visit via the attacker’s session tokens to earn traffic credits.
Persistence: The attackers use dynamic DNS services to keep resolving their IP addresses as the campaign infrastructure, allowing sustained connections with infected containers across compromised devices to maintain persistence.
Impact: By design, the malware payloads monopolize computing resources like CPU, memory, and bandwidth to severely degrade the performance of legitimate workloads on the hosting servers.
IoCs
| Docker Container Name | Docker Container Image |
| faucet | 9hitste/app |
| xmg | minerboy/XMRig |
| Mining pool |
| byw.dscloud.me:3333 |
| Session token |
| c89f8b41d4972209ec497349cce7e840 |
| IP |
| 27[.]36.82.56 |
| 43[.]163.195.252 |
Bottom Line
In conclusion, Cado Security’s report reveals clever exploitation of vulnerable Docker containers and daemon access to deploy crypto miners coupled with unconventional payloads like 9hits traffic viewers. Their ability to operate these malicious apps at scale while avoiding ownership tracking highlights increasingly sophisticated cybercrime toolkits.
The key takeaway for security teams is implementing safe Docker practices, limiting daemon exposure to risky networks, monitoring for unusual container deployments, and having detection systems to uncover emerging malware behaviors like crypto mining and traffic manipulation. As attacks continue to exploit container technologies for covert malware operations, more cybercriminal groups adopting such tactics can be expected.
We hope this post helps you know about the new malicious Docker malware campaign. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
