Researchers observed a campaign targeting vulnerable Docker services that deploys two containers per host: a cryptocurrency miner (XMRig) and the 9hits viewer application to generate traffic and credits. The operation shows how exposed Docker hosts can be abused for mining while using a headless browser to drive visits for revenue, leveraging Docker Hub images and a session-token system.
#9hits #XMRig #Docker #Shodan #dscloud
#9hits #XMRig #Docker #Shodan #dscloud
Keypoints
- The campaign targets vulnerable Docker services by deploying two containers per host: a miner (XMRig) and the 9hits viewer app.
- Initial access occurs over the Internet via an attacker-controlled server leveraging the Docker API to deploy containers.
- Researchers speculate the honeypot was discovered via Shodan rather than broad active scanning.
- Attackers pull off-the-shelf images from Docker Hub: minerboy/XMRig and 9hitste/app.
- 9hits uses a session token to fetch sites to visit and earn credits for the token owner.
- 9hits runs headless Chrome with flags like βno-sandbox and βsingle-process, visiting various site categories (with some restrictions).
- Impact is resource exhaustion (CPU from XMRig; bandwidth/memory from 9hits), with potential for future remote access.
MITRE Techniques
- [T1210] Exploitation of Remote Services β The spreader uses the Docker API to deploy two containers. β[After discovery, the spreader uses the Docker API to deploy two containers:]
- [T1059.004] Unix Shell β The order of API requests in the capture is identical to an actual instance of the Docker CLI. It is likely the attacker is using a script that sets the DOCKER_HOST variable and runs the regular CLI in order to compromise the server. β
- [T1046] Network Service Discovery β The attacker discovered the honeypot via a service like Shodan. β[the attacker discovered the honeypot via a service like Shodan.]β
- [T1496] Resource Hijacking β The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left. β
Indicators of Compromise
- [Container Name] context β faucet, xmg
- [Container Image] context β 9hitste/app, minerboy/XMRig
- [Domain] context β byw.dscloud.me:3333, dscloud.me
- [IP Address] context β 27.36.82.56, 43.163.195.252
- [Session Token] context β c89f8b41d4972209ec497349cce7e840
Read more: https://www.cadosecurity.com/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts/