Cybercrooks Target Docker Containers With Novel Pageview Generator

Cyberattackers are exploiting Docker instances to drop the bot-tastic 9hits Web traffic generator and "earn" valuable credits that can be turned into cash.

robot from the Terminator movies against a cloud background
Source: Bob Sharples via Alamy Stock Photo

Container-focused cyberattackers have a brand-new type of payload: a gray-area traffic-generating tool that creates artificial page views for websites, known as the 9hits Traffic Exchange.

Members of 9hits can buy what are known as "credits" on the platform, which can be exchanged for sending a set amount of traffic to a given website via the automated 9hits viewer app. The app loads a chosen webpage a certain number of times, thus generating page views — even though there are no actual eyeballs taking in the target site's content.

9hits might be a little shady, being used to inflate a site's actual visitor engagement numbers in a quest for luring advertisers — but its use is not illegal. Unless, of course, it's being planted into an organization's infrastructure without consent, thus stealing compute resources.

According to researchers at Cado Security, that's exactly what the bad guys are doing: deploying this "unique Web traffic solution" (as it bills itself), in order to generate credits for the attacker.

Cado says the attackers in a fresh campaign are targeting vulnerable Docker services to deploy two separate containers: an XMRig cryptominer and 9hits. The former is a well-known malicious payload, but the latter is entirely novel, the researchers said.

"Attackers always seek more strategies to profit from compromised hosts," according to Cado's 9hits/Docker analysis published today. "[We] can observe the processes being run, allowing the 9hits app to authenticate with their servers and pull a list of sites to visit. Once visited, the session owner is awarded a credit on the 9hits platform."

The credits can then be turned into traffic to the attacker's site of choice, which in turn can be monetized in any number of creative ways, including selling it to an ad network.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights