Cybercrooks Target Docker Containers With Novel Pageview Generator

Container-focused cyberattackers have a brand-new type of payload: a gray-area traffic-generating tool that creates artificial page views for websites, known as the 9hits Traffic Exchange.

Members of 9hits can buy what are known as "credits" on the platform, which can be exchanged for sending a set amount of traffic to a given website via the automated 9hits viewer app. The app loads a chosen webpage a certain number of times, thus generating page views — even though there are no actual eyeballs taking in the target site's content.

9hits might be a little shady, being used to inflate a site's actual visitor engagement numbers in a quest for luring advertisers — but its use is not illegal. Unless, of course, it's being planted into an organization's infrastructure without consent, thus stealing compute resources.

According to researchers at Cado Security, that's exactly what the bad guys are doing: deploying this "unique Web traffic solution" (as it bills itself), in order to generate credits for the attacker.

Cado says the attackers in a fresh campaign are targeting vulnerable Docker services to deploy two separate containers: an XMRig cryptominer and 9hits. The former is a well-known malicious payload, but the latter is entirely novel, the researchers said.

"Attackers always seek more strategies to profit from compromised hosts," according to Cado's 9hits/Docker analysis published today. "[We] can observe the processes being run, allowing the 9hits app to authenticate with their servers and pull a list of sites to visit. Once visited, the session owner is awarded a credit on the 9hits platform."

The credits can then be turned into traffic to the attacker's site of choice, which in turn can be monetized in any number of creative ways, including selling it to an ad network.