Cado Security has published its discovery of the first documented case of malware deploying the 9Hits Traffic Exchange, “A Unique Web Traffic Solution,” viewer application as a payload. The 9Hits app responsible for generating hits and credits is now being deployed by malware to generate credits for the attacker.
Cado observed a novel campaign targeting vulnerable Docker services to deploy two containers: an XMRig miner and 9hits. Members can buy credits on this platform to exchange traffic generated on their chosen website and run the 9hits viewer app to visit websites requested by other members in exchange for a cut of the credits.
This campaign shows that exposed Docker hosts are still a common entry vector and that attackers always seek more strategies to profit from compromised hosts. Cado can observe the processes being run, allowing the 9hits app to authenticate with their servers and pull a list of sites to visit. Once visited, the session owner is awarded a credit on the 9hits platform.
In the new research, Nate Bill, Threat Intelligence Engineer at Cado Security, analyzes why the threat actor behind this campaign removed the ability to visit crypto-related sites, the main impact of this campaign on compromised hosts, and the result on infected servers unable to perform.
You can read the details here.