Trafficstealer Exploits Container APIs for Malicious Redirections

Researchers caught Trafficstealer actively abusing Docker Container APIs to redirect users to malicious websites. The threat actors use this new piece of software for monetizing traffic while staying under the radar.

Trafficstealer – A New Software Abusing Docker Container APIs To Make Money

According to a detailed report from Trend Micro, they noticed a new software, “Trafficstealer,” exploiting the usual internet traffic for monetization.

Briefly, their honeypots detected a unique dataset that seemed different from a cryptominer or a Linux command for spying. Specifically, they found a container abusing their lab network to redirect traffic to malicious websites or ads. Despite facing abuse, the researchers could gather information about the attackers by analyzing the JSON honeypot logs. As stated in their report,

The attackers had turned our honeypot into a revenue-generating machine for themselves, but they also left some valuable information behind, allowing us to gain a better understanding of their tactics and gather valuable learnings from this experience.

Specifically, the attack begins by deploying container images on a target network to reroute traffic through this container app. In turn, the service promises the user (the “subscriber”) some profit. The subscriber’s device then works as a proxy, keeping the entire traffic rerouting activity undetected. While that sounds harmless, it is dangerous when executed for abusing victim’s networks for monetization.

Simply put, the concept behind this mode of operations resembles that of cryptominers. The difference is that cryptomining abuses the target device’s CPU or GPU, whereas this Trafficstealer container app activity abuses the target network’s traffic.

Trend Micro observed the said image being pulled 500,000 times from the Docker Hub alone, processing 15 MB within seconds. Given the stealthy nature of this attack that even doesn’t suspect the legitimate ad services gaining the traffic (because the traffic looks legit – only that it’s redirected), the researchers suspect numerous legitimate sites willingly running the image on their networks.

To mitigate such threats, the researchers advise employing zero-trust on all container environments, keeping container APIs secured, implementing container authorization policy, and ensuring regular anti-malware scans for container images.

The researchers will continue to monitor this activity to gather more information.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil