Unraveling the Threat of New Docker Malware Campaign

Rohan Timalsina

January 31, 2024 - TuxCare expert team

In recent times, Docker services have become a focal point for malicious actors seeking innovative ways to monetize their exploits. A recent discovery by cloud security firm Cado unveils a new Docker malware campaign that employs a dual-pronged approach, utilizing the XMRig cryptocurrency miner and the 9Hits Viewer software. This marks a significant shift in the tactics employed by adversaries, showcasing their continual efforts to diversify strategies and capitalize on compromised hosts.

9Hits Viewer as Malware Payload

One striking aspect of this campaign is the deployment of the 9Hits application as a payload. Touted as a “unique web traffic solution,” 9Hits presents itself as an “automatic traffic exchange” where members can boost their website traffic by earning credits through a headless Chrome browser instance, aptly named 9Hits Viewer. This development underscores the adaptability of threat actors, always on the lookout for new avenues to exploit compromised systems.

While the exact method of spreading the malware to vulnerable Docker hosts remains unclear, suspicions point towards the utilization of search engines like Shodan to identify potential targets. Once identified, the servers are breached to deploy two malicious containers via the Docker API, leveraging off-the-shelf images from the Docker Hub library for 9Hits and XMRig software.

Docker Malware Attack Vector

Rather than opting for custom images, the threat actors utilize generic Docker Hub images, a common tactic in Docker-targeted campaigns. This technique guarantees that generic photos can be accessed and utilized for the attackers’ purposes. By extracting a list of websites to visit and authenticating with 9Hits using the session token, the 9Hits container runs code to produce credits. Simultaneously, the XMRig miner, residing in another container, connects to a private mining pool, obscuring the scale and profitability of the campaign.

Impacts on Compromised Docker Hosts

For compromised hosts, this campaign has far-reaching effects. Resource exhaustion is a key concern, with the XMRig miner monopolizing available CPU resources and 9Hits consuming significant bandwidth and memory. On corrupted servers, legitimate workloads experience performance issues that interfere with regular operations. Moreover, there’s potential for more severe breaches, as the campaign could evolve to leave a remote shell on the system, amplifying the risk of unauthorized access.

Protecting Docker environments from evolving threats such as the Docker malware campaign discussed is paramount. As threat actors continue to adapt and diversify their tactics, staying informed and implementing robust security measures is crucial. Organizations should remain vigilant, regularly update and patch systems, and employ security best practices to fortify their Docker environments against emerging threats.

The sources for this article include a story from TheHackerNews.

Summary