TrafficStealer: The Hidden Threat in Docker Containers
Researchers at TrendMicro have discovered a unique threat affecting Docker containers, a piece of software they’ve dubbed “TrafficStealer.” This software harnesses containers to generate revenue by manipulating web traffic and ad engagement. The threat was initially detected when an unfamiliar program was found running in the background of one of their containerized honeypots.
Attackers now tend to use established services or base images instead of crafting their own container images. In this case, the attackers utilized a container image published by a service that offers “traffic monetization.” By signing up for the service, users receive a unique token, which is then used to retrieve potential revenue. However, once the attacker’s software is installed or run, there is no visibility on the traffic using the subscriber’s device as a proxy. This lack of visibility can create a dangerous scenario when services are run unknowingly.
The TrafficStealer software operates using a combination of techniques, including web crawling and click simulation. Web crawling involves scanning the internet for high-potential ad revenue websites, while click simulation generates fake clicks on ads displayed on those sites. This process increases perceived engagement, leading to higher ad revenue for the attackers. All traffic exchanged with the server is encrypted, making activities dubious.
Potential attack routine | Image: trendmicro
During the investigation, researchers discovered the same behavior in various Dockerfile and docker-compose.yaml files, as well as cloud pipeline YAML files. YAML configuration files provide structure in giving software configurations and parameters to applications and software, while the cloud pipeline allows for automation of cloud services’ deployment, run, and modification. In this case, the developers and publishers of these YAML files automated the process to publish the configuration file and deploy it to the cloud automatically. This results in faster malware service deployment, automation, and, most importantly, attack scaling.
The researchers noted that the attacker never created a TTY (a telephone typing command-line interface input terminal), which is usually a sign of automated attacks. One of the services offers a comprehensive web dashboard where an attacker can monitor how the infected nodes are working, including some information about the operating system and the IP address.
The image used to infect the honeypot was pulled 500,000 times from Docker Hub alone, processing 15 MB in a matter of seconds. From that data reference, it is challenging to estimate how many legitimate sites are running it willingly on their respective environments.
