A unique threat, dubbed TrafficStealer, has been observed targeting Docker containers to generate revenue by monetizing web traffic and ad engagement. It can be contemplated as a weaponized version of a genuine traffic routing service.
Historically, cybercriminals have been targeting Docker containers to harness its cloud-based processing power for running cryptomining software or carrying out reconnaissance attacks by running Linux commands.
About TrafficStealer
According to Trend Micro, TrafficStealer uses a pre-built container image with traffic monetization features. This was all done by abusing the honeypot set up by the research agency.
The attackers used a Docker container image, developed to offer traffic monetization service. When users subscribe to this service, they need to install a piece of software that routes the network traffic through their device, generating revenues.
However, this containerized software does not provide any details about the traffic flowing through the subscriber’s device.
Furthermore, if it is run unknowingly on the targeted cloud resource, it can take advantage of the victim’s network traffic (in a similar fashion as cryptominers abuse the genuine CPU resource to mine cryptocurrency), and generate revenues for the attacker.
The container image has been pulled more than 500,000 times from the Docker Hub, indicating the massive scale of this attack.
How TrafficStealer works?
TrafficStealer uses a combination of two techniques: web crawling and click simulation.
Attackers scan the internet to identify websites with a high potential for generating ad revenues. These sites are specifically targeted, driving traffic to them via their network.
On these high-value sites, attackers generate fake clicks on the advertisements, resulting in high ad revenues.
The TrafficStealer service requires its subscribers to create an account and generate a token to be used during monetization, along with a unique ID to run the service locally.
However, in this attack, the attackers used their own hardcoded token, diverting all the revenue to their own account.
Additional tricks
The threat actors developed custom YAML configuration files and cloud pipelines to automate the deployment of this service, resulting in faster and more scalable deployment on the targeted networks.
Furthermore, they did not create any TTY terminal (a command line terminal used to input the commands) to dodge security. A TTY is considered a telltale sign of automated attacks.
In addition, the service offers a dashboard to monitor the details of the infected nodes, including the OS and IP address.
Ending notes
TrafficStealer is yet another example of how threat actors are smartly abusing popular cloud platforms. Furthermore, this malicious container image has already been downloaded over hundreds and thousands of times, indicating the massive scale of this scheme. To mitigate the risks that TrafficStealer can pose, experts recommend implementing zero-trust security for all container environments and auditing for any unwanted open container APIs.