A new cyber-attack campaign has been discovered targeting vulnerable Docker services [1] [2] [4]. This campaign utilizes the 9Hits Viewer software and XMRig cryptocurrency miner as its payload, marking the first known instance of malware using the 9Hits application [1] [2] [4] [5]. Attackers are constantly seeking new ways to profit from compromised hosts [1] [2] [4], and this campaign highlights their adaptability.


The 9Hits container is employed to generate credits for the attacker by authenticating with 9Hits and retrieving a list of sites to visit [2]. Interestingly [3], the campaign allows visiting adult sites and sites with popups [2], but not cryptocurrency-related sites [2]. In addition, another container runs an XMRig miner that connects to a private mining pool [2], making it challenging to determine the scale and profitability of the campaign [2].

The main impact on compromised hosts is resource exhaustion [1] [2] [4] [5]. The XMRig miner utilizes all available CPU resources [1] [2] [4], while 9Hits consumes significant bandwidth [2] [4], memory [1] [2] [4] [5], and CPU [2]. This can disrupt legitimate workloads on infected servers [2] [4] [5]. Furthermore, there is a potential for the campaign to be updated to leave a remote shell on the system, leading to a more serious breach [1] [2] [3].


It is crucial to emphasize the ongoing vulnerability of exposed Docker hosts and the importance of maintaining their security. Docker hosts continue to be a common entry vector for attackers [3], and this campaign serves as a reminder of the need for robust security measures. Mitigating the impact of such attacks requires proactive monitoring, patching vulnerabilities, and implementing strong access controls. Additionally, the evolving nature of cyber threats necessitates continuous vigilance and adaptation to stay ahead of attackers.


[1] https://thehackernews.com/2024/01/new-docker-malware-steals-cpu-for.html
[2] https://patabook.com/technology/2024/01/18/new-docker-malware-steals-cpu-for-crypto-drives-fake-website-traffic/
[3] https://www.hackread.com/docker-servers-malware-traffic-boosted-cryptominers/
[4] https://owasp.or.id/2024/01/18/new-docker-malware-steals-cpu-for-crypto-drives-fake-website-traffic/
[5] https://www.infosecurity-magazine.com/news/malware-exploits-9hits-docker/