Docker Servers Under Siege: 9Hits Malware Campaign Turns Infrastructure Into Crypto Miners

A newly discovered malware campaign targeting vulnerable Docker servers represents a troubling evolution in cryptojacking tactics. Security researchers at Cado Security have documented the first-known instance of attackers deploying the 9Hits Traffic Exchange viewer application as a malicious payload alongside the XMRig cryptocurrency miner. The dual-purpose campaign, revealed on January 18, 2024, simultaneously generates fake website traffic and mines Monero cryptocurrency on compromised hosts, maximizing the attacker’s profit from every infected server.

The Threat Landscape

Docker servers remain one of the most commonly exploited entry vectors for cloud-based attacks. Attackers routinely scan for exposed Docker API endpoints using services like Shodan, identifying servers where administrators have failed to properly secure access controls. In this campaign, the attacker uses a straightforward approach: setting the DOCKER_HOST environment variable and executing standard Docker CLI commands to pull and run malicious containers from DockerHub.

What makes this campaign notable is the dual-payload strategy. Rather than simply deploying a cryptominer, the attacker also installs the 9Hits viewer application, a headless Chrome-based tool that automatically visits websites to generate artificial traffic. This approach allows the attacker to earn credits on the 9Hits platform while simultaneously mining cryptocurrency, effectively double-monetizing every compromised server.

The 9Hits platform operates on a credit system where members purchase traffic for their websites. Users can run the viewer application to visit requested sites in exchange for credits. The session token system used by 9Hits is designed to work in untrusted contexts, which means the attacker can operate the viewer on hijacked servers without risking exposure of their own account credentials.

Core Principles

Container security follows a set of fundamental principles that this attack exploits through their absence. First, the principle of least privilege demands that containers should never run with more permissions than necessary. In this campaign, the attacker does not attempt to escape the container, instead running malicious workloads entirely within the containerized environment using predetermined arguments.

Second, network exposure management requires that Docker API endpoints should never be accessible from the public internet. The attackers likely discover their targets through Shodan or similar scanning services, as their originating IP addresses do not appear in common abuse databases, suggesting the use of separate scanning infrastructure.

Third, image provenance verification ensures that only trusted container images from verified publishers run on production infrastructure. The attacker pulls off-the-shelf images from DockerHub for both the 9Hits viewer and XMRig miner, exploiting the trust that Docker commands inherently place in public image repositories.

Tooling and Setup

Organizations can protect their Docker infrastructure through several practical measures. Start by ensuring Docker API endpoints are not exposed to the public internet. Use firewall rules to restrict access to the Docker daemon, and require TLS authentication for remote API connections. Implement Docker Content Trust to verify the integrity and publisher of container images before deployment.

Deploy runtime security monitoring tools that detect unusual container behavior, such as unexpected CPU usage spikes from mining operations or unusual network connections from the 9Hits viewer application. Tools like Falco or Docker Bench for Security provide automated checks against common misconfigurations.

The campaign uses a dynamic DNS domain (dscloud) updated by a Synology server to resolve to the attacker’s IP address. This technique allows the attacker to maintain persistence even if individual IP addresses are blocked. Security teams should monitor for connections to suspicious dynamic DNS domains as part of their threat detection strategy.

Ongoing Vigilance

The 9Hits campaign illustrates how attackers continuously refine their methods to maximize returns from compromised infrastructure. By combining cryptojacking with traffic generation, the attacker creates a diversified revenue stream from each infected server. Interestingly, the attacker specifically disables the 9Hits viewer’s ability to visit crypto-related websites, possibly to avoid drawing attention from cryptocurrency-focused security researchers.

The XMRig deployment uses a private mining pool rather than a public one, which prevents analysis of the campaign’s scale through public pool statistics. This operational security measure suggests a sophisticated attacker who understands the risks of exposure through public blockchain analytics.

Final Takeaway

As the cryptocurrency market navigates the aftermath of Bitcoin ETF approvals with BTC trading around $41,262, the incentive for cryptojacking attacks remains strong. The 9Hits campaign demonstrates that attackers need not limit themselves to a single revenue stream. Infrastructure operators must adopt comprehensive container security practices, including API access controls, image verification, and runtime monitoring, to protect against increasingly creative exploitation campaigns. The cost of prevention remains far lower than the cost of remediation.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.