Unveiling a Novel Malware Campaign: Attackers Targeting Vulnerable Docker Services

Recently, Cado Security Labs researchers have uncovered a striking and innovative campaign that specifically targets vulnerable Docker services. This campaign marks a significant development in the world of cyber threats, as it deploys not one, but two containers to the compromised instance. These containers consist of a typical XMRig miner and an unexpected payload – the 9hits viewer application.

The 9hits viewer application, known for its legitimate purpose as a “Unique Web Traffic Solution,” is being used as a payload by attackers in this campaign. Typically, 9hits allows its members to purchase credits that can be exchanged for increased web traffic to a website of their choice. Members can also run the 9hits viewer application, which uses a headless Chrome instance to visit websites, earning them a share of the credits.

In this campaign, the attacker has repurposed the 9hits viewer app to generate credits for themselves, turning it into a tool for malicious gain.

The attack begins with the deployment of two containers on the vulnerable Docker host by an attacker-controlled server. While Cado Security Labs hasn’t been able to obtain the specific spreader used in this campaign, it’s speculated that the attacker discovered the vulnerable host via a service like Shodan. Interestingly, the attacker’s IP doesn’t appear in common abuse databases, indicating a non-scanning approach. This suggests the possibility of a separate server for scanning.

Once the attacker gains access to the target, they utilize the Docker API to deploy the two containers, as evidenced by log entries and network captures.

An intriguing aspect of this campaign is the attacker’s method of disguising their actions as Docker client activity. While it’s technically possible to clone a user agent to mimic Docker client behavior, the order of API requests in the capture closely resembles that of an actual Docker CLI instance. This suggests that the attacker employs a script that sets the DOCKER_HOST variable and runs the Docker CLI, effectively camouflaging their malicious actions.

In a common attack vector seen in Docker-targeted campaigns, the attacker opts for off-the-shelf Docker images available on Dockerhub. Rather than creating a bespoke image for their purposes, they leverage readily accessible generic images. This approach makes it easier for attackers to quickly initiate their campaigns.

The payload operation of this campaign involves invoking the Docker container with a custom command that includes configuration and session identifiers. Using memory forensics, researchers have identified processes running within the 9hits container. The entry point for this container is the “nh.sh” script, to which the attacker has added their session token. This allows the 9hits app to authenticate with the attacker’s servers, pull a list of sites to visit and reward the attacker with credits on the 9hits platform.

Notably, the 9hits session token system appears designed to function in untrusted contexts, preventing attackers from compromising their accounts when running the app in illegitimate campaigns.

The primary impact of this campaign on compromised hosts is resource exhaustion. The XMRig miner consumes all available CPU resources, while the 9hits viewer app utilizes significant bandwidth, memory, and any remaining CPU power. This hampers the performance of legitimate workloads on infected servers, potentially causing significant disruptions.

Furthermore, there’s a risk that the campaign could evolve to leave a remote shell on compromised systems, leading to more serious breaches. A similar tactic has been observed in the past with the Romanian threat actor “mexals/diicot,” which maintained access to compromised servers using a malicious SSH key alongside XMRig execution.

This campaign underscores the relentless pursuit of attackers seeking new avenues to profit from compromised hosts. It also highlights the ongoing vulnerability of exposed Docker hosts as a common entry point for cyber threats. Given Docker’s capacity to run arbitrary code, it’s imperative to maintain the security of Docker environments to prevent them from being exploited for malicious purposes.