Threat Research

Attackers Use Containers for Profit via TrafficStealer

Securonix

TrafficStealer uses Docker containers to generate revenue by proxying users’ traffic and manipulating ad engagement, turning honeypots into monetization machines. Attackers leverage public container images and automation via YAML to scale the operation, while dashboards and tokens help manage and monetize compromised hosts. #TrafficStealer #TraffMonetizer #DockerHub #Proxyware #TrendMicro

Keypoints

  • TrafficStealer is a container-based campaign that monetizes traffic by proxying it through a container app and engaging with ads.
  • The attack repurposes honeypots and open container APIs to turn compromised environments into revenue generators.
  • Subscribers receive a unique token/ID used to retrieve possible revenue, signaling centralized monetization control.
  • All traffic to the server is encrypted and routed over an unusual TCP port, complicating detection.
  • Attackers increasingly rely on established base images and YAML configurations to automate deployment and scale the operation.
  • The attacker avoids interactive terminals (TTY = False), indicating automated, worm-like behavior.
  • A public web dashboard allows monitoring of infected nodes, OS, and IP addresses, illustrating remote management capabilities.
  • Docker image usage is widespread, with the infected image pulled about 500,000 times from Docker Hub, highlighting broad attack surface.

MITRE Techniques

  • [T1090] Proxy – The container proxies traffic from users to specific websites and engages with ads. Quote: “[takes traffic from various mobile app users and proxies it via this container app.]”
  • [T1105] Ingress Tool Transfer – The malware pulls a container image from Docker Hub to deploy the malicious routine. Quote: “[The image that was used to infect our honeypot was pulled 500,000 times from Docker Hub alone, processing 15 MB in a matter of seconds.]”
  • [T1041] Exfiltration Over C2 Channel – All traffic between the infected environment and the server is encrypted, aiding covert communication. Quote: “[All the traffic exchanged with the server is encrypted]”

Indicators of Compromise

  • [SHA256] 856963cece315dea93a685a9cc76cc2c75a8625694c03c3e15a2bc1a7876606c – traffmonetizer.dmg, Proxyware.MacOS.TraffMoney.A

Read more: https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for-profit-via-trafficstealer.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint