What Cado Says About the New Malicious Docker Malware Campaign?

The security research team at Cado has recently uncovered a novel malware Docker exploit campaign that leverages vulnerable Docker hosts to deploy crypto miners. As reported in the comprehensive study (full report here), this appears to be the first documented case of cybercriminals launching the 9hits traffic platform as part of malware payloads.

This malware attack targets exposed Docker daemons and deploys two containers to perform the malicious activities — an XMRig Monero miner and the 9hits viewer application. This campaign highlights how ransomware gangs continue to expand their monetization strategies using crypto-mining malware as well as less common software like 9hits.

Technical Details About This New Malicious Docker Malware Campaign

As per the in-depth analysis by Cado Security Labs researchers, the malicious containers deploy XMRig crypto miner and the 9hits viewer app which leverages headless Chrome to generate traffic and revenue for the attackers.

Attackers seem to be identifying vulnerable Docker hosts using services like Shodan and targeting them using custom scripts that interact with Docker APIs. This allows remotely deploying containers with predefined commands and configurations to initialize infections.

Once deployed, the containers kick off the malicious payloads as background processes:

pid	  ppid	proc	cmd
2379	2358	nh.sh	/bin/bash /nh.sh --token=c89f8b41d4972209ec497349cce7e840 --system-session --allow-crypto=no
2406	2379	Xvfb	Xvfb :1
2407	2379	9hits	/etc/9hitsv3-linux64/9hits --mode=exchange --current-hash=1704770235 --hide-browser=no --token=c89f8b41d4972209ec497349cce7e840 --allow-popups=yes --allow-adult=yes --allow-crypto=no --system-session --cache-del=200 --single-process --no-sandbox --no-zygote --auto-start
2508	2455	9hbrowser	/etc/9hitsv3-linux64/browser/9hbrowser --nh-

While the XMRig process runs Monero mining directing earnings to the attacker’s private pool, the 9hits container visits websites to generate traffic credits for the owners of the campaign’s session tokens.

The report suggests this could allow running 9hits at scale across compromised devices without account hijacking risks. Attackers also seem to have additional controls in place like restricting crypto sites from the 9hits visits.

See also  How To Program A Raspberry Pi Pico With MicroPython?

How Does This Campaign Work?

The in-depth analysis from Cado’s research team provides intriguing insights into the technical workings of this Docker-based malware operation.

  1. Reconnaissance: The first step involves identifying potential targets by scanning the entire IPv4 space or using search engines like Shodan to find Internet-facing Docker daemon APIs vulnerable to remote command executions.
  2. Intrusion: Next, the attackers use custom scripts that mimic the Docker CLI to connect to exposed daemons and leverage the Docker API to pull images from Docker Hub and deploy them as containers. The running containers establish the initial foothold.
  3. Installation: The containers have pre-configured commands that execute crypto mining (XMRig) and traffic generation (9hits) payload processes when started. This allows the malware processes to launch in the background without altering the hosting servers.
  4. Command & Control: The XMRig instance connects out to the attacker’s private Monero mining pool to begin hashing and deposit profits. The 9hits container pulls configurations and websites to visit via the attacker’s session tokens to earn traffic credits.
  5. Persistence: The attackers use dynamic DNS services to keep resolving their IP addresses as the campaign infrastructure, allowing sustained connections with infected containers across compromised devices to maintain persistence.
  6. Impact: By design, the malware payloads monopolize computing resources like CPU, memory, and bandwidth to severely degrade the performance of legitimate workloads on the hosting servers.

IoCs

Docker Container Name Docker Container Image
faucet 9hitste/app
xmg minerboy/XMRig
Mining pool
byw.dscloud.me:3333
Session token
c89f8b41d4972209ec497349cce7e840
IP
27[.]36.82.56
43[.]163.195.252

Bottom Line

In conclusion, Cado Security’s report reveals clever exploitation of vulnerable Docker containers and daemon access to deploy crypto miners coupled with unconventional payloads like 9hits traffic viewers. Their ability to operate these malicious apps at scale while avoiding ownership tracking highlights increasingly sophisticated cybercrime toolkits.

Leave a Reply

Your email address will not be published. Required fields are marked *