Comment
Author: Admin | 2025-04-28
A new campaign targeting vulnerable Docker services deploys an XMRig miner and the 9hits viewer app on compromised hosts, allowing a dual monetization strategy.9hits is a web traffic exchange platform where members can drive traffic to each others' sites.This traffic is generated by a 9hits viewer app that is installed on members' devices, which uses a headless Chrome instance to visit websites requested by other members. In return, those users earn credits, which can be used to pay for traffic to their own sites.In a campaign discovered by Cado Security, attackers deploy the 9hits viewer app on compromised Docker hosts to generate credits for themselves, exploiting the resources of those systems to drive traffic as part of the 9hits traffic exchange system."This is the first documented case of malware deploying the 9hits application as a payload," explains a report by Cado Security shared with BleepingComputer.Attack detailsWhile it's not clear how the threat actors find systems to breach, Cado believes the attackers likely use a network scanning product like Shodan to discover vulnerable servers and breach them to deploy malicious containers via the Docker API.The containers are in images sourced from Dockerhub to reduce suspicion. The spreader script captured in Cado's Docker honeypot uses Docker's CLI to set the DOCKER_HOST variable and uses typical API calls to pull and run the containers.The 9hits container runs a script (nh.sh) with a session token, allowing it to authenticate and generate credits for the attacker by visiting a list of websites.The session token system
Add Comment