ChkStart | |
Type of Malware | Infostealer |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Targeted Countries | Unknown |
Motivation | Data Theft |
Attack Vectors | Credential Based Attacks |
Targeted Systems | Linux |
Type of information Stolen | System Information |
Overview
CHKSTART malware has recently emerged as a notable threat in the cybersecurity domain, drawing attention from experts due to its sophisticated capabilities and its impact on targeted systems. This malware is engineered to exploit vulnerabilities and weaknesses in various environments, making it a versatile and dangerous adversary. With a focus on both stealth and functionality, CHKSTART presents a multifaceted challenge to security professionals and organizations alike.
At its core, CHKSTART operates with a highly modular architecture, allowing it to adapt and evolve based on the specific needs of the attackers. This modularity enables the malware to perform a wide range of malicious activities, from basic reconnaissance to advanced data exfiltration. CHKSTART’s design reflects a strategic approach to cyberattacks, where each component is crafted to maximize impact while minimizing detection risks.
One of the key features of CHKSTART is its capability to bypass traditional security measures through sophisticated evasion techniques. The malware often employs various methods to avoid detection by security software, including code obfuscation, encryption, and the use of legitimate system processes to mask its presence. These tactics are designed to remain under the radar, making it challenging for standard defenses to identify and neutralize the threat.
Targets
Docker Engine Hosts: The malware specifically looks for Docker hosts that have port 2375 open and are exposed to the internet without proper authentication. This is often a result of misconfigured Docker instances.
Publicly Exposed Systems: The attackers focus on systems that are publicly accessible, allowing them to exploit Docker APIs to gain unauthorized access.
Systems with Misconfigured Docker Environments: Targets are often Docker environments where the root directory of the host machine is bound into Docker containers, providing attackers with direct access to the host’s filesystem.
Systems Vulnerable to Cryptojacking: Once inside, the malware is designed to set up a persistent cryptojacking operation. It aims to install cryptojacking payloads that utilize the system’s resources to mine cryptocurrencies for the attackers.
Systems with Certain Service Configurations: The malware also targets systems with specific systemd service configurations, using these services as a vector to persistently execute its payloads.
How they operate
At its core, CHKSTART functions by establishing a command and control (C2) channel with its operators. Once the malware is executed on a victim’s machine, it typically initiates a connection to a remote server controlled by the attacker. This connection is used to receive further instructions and transmit stolen data. CHKSTART’s ability to communicate with the C2 server allows it to perform various actions based on the commands received, ranging from data collection to system manipulation.
One of the key technical features of CHKSTART is its use of screen capture techniques. This functionality enables the malware to take screenshots of the victim’s desktop, potentially capturing sensitive information displayed on the screen. These screenshots are then transmitted back to the attacker through the established C2 channel. This tactic is particularly concerning as it can reveal confidential data, including personal information and financial details.
CHKSTART also employs credential dumping techniques to gain unauthorized access to stored credentials on the infected system. By targeting and extracting credentials from various storage locations, the malware enhances its ability to compromise additional accounts and systems. This process typically involves accessing system databases or memory where credentials are stored in plaintext or easily retrievable formats.
Persistence is another critical aspect of CHKSTART’s operation. To ensure that it remains active even after system reboots or user logins, the malware may utilize scheduled tasks or jobs. These tasks are set to trigger the malware at specified intervals or system events, ensuring that it continues to operate and exfiltrate data even if initial infection vectors are mitigated.
In terms of defense evasion, CHKSTART incorporates various techniques to avoid detection and removal. This includes removing or obfuscating logs and system indicators that could reveal its presence. By hiding its activities and modifying system settings, CHKSTART reduces the likelihood of detection by security tools and system administrators.
MITRE Tactics and Techniques
Collection (T1113 – Screen Capture): CHKSTART may utilize screen capture techniques to gather information from the victim’s screen, capturing sensitive data displayed on the system.
Credential Access (T1003 – Credential Dumping): The malware can target and extract stored credentials from the system, potentially using various credential dumping techniques to access sensitive information.
Exfiltration (T1041 – Exfiltration Over Command and Control Channel): CHKSTART typically exfiltrates stolen data over its command and control (C2) channel. This tactic involves sending the captured information to the attacker’s server.
Persistence (T1053 – Scheduled Task/Job): CHKSTART might use scheduled tasks or jobs to maintain persistence on the infected system, ensuring it remains active and operational even after reboots.
Defense Evasion (T1070 – Indicator Removal on Host): To avoid detection and removal, CHKSTART may employ methods to hide its presence or remove traces of its activity from the system.
