Cybercrooks Target Docker Containers With Novel Pageview Generator - Dark Reading
2024-01-22 13:40 (EST) - Tara Seals
Container-focused cyberattackers have a brand-new type of payload: a gray-area traffic-generating tool that creates artificial page views for websites, known as the 9hits Traffic Exchange.
Members of 9hits can buy what are known as "credits" on the platform, which can be exchanged for sending a set amount of traffic to a given website via the automated 9hits viewer app. The app loads a chosen webpage a certain number of times, thus generating page views — even though there are no actual eyeballs taking in the target sites content.
9hits might be a little shady, being used to inflate a sites actual visitor engagement numbers in a quest for luring advertisers — but its use is not illegal. Unless, of course, its being planted into an organizations infrastructure without consent, thus stealing compute resources.
According to researchers at Cado Security, thats exactly what the bad guys are doing: deploying this "unique Web traffic solution" (as it bills itself), in order to generate credits for the attacker.
Cado says the attackers in a fresh campaign are targeting vulnerable Docker services to deploy two separate containers: an XMRig cryptominer and 9hits. The former is a well-known malicious payload, but the latter is entirely novel, the researchers said.
"Attackers always seek more strategies to profit from compromised hosts," according to Cados 9hits/Docker analysis published today. "[We] can observe the processes being run, allowing the 9hits app to authenticate with their servers and pull a list of sites to visit. Once visited, the session owner is awarded a credit on the 9hits platform."
The credits can then be turned into traffic to the attackers site of choice, which in turn can be monetized in any number of creative ways, including selling it to an ad network.
