A previously unknown malware, Lightning Framework, has been spotted targeting Linux systems. The framework can be used to backdoor devices using SSH and deliver different types of rootkits.
Lightning Framework
According to Intezer, Lightning Framework is a modular malware that comes with passive and active capabilities for communication with the attacker.
- The malware opens SSH on an infected machine and supports polymorphic malleable command and control configuration. At present, components referenced in the source code are yet to be discovered.
- The framework uses typosquatting and masquerades as the Seahorse GNOME password and encryption key manager to avoid being detected on the infected systems.
Malware architecture
Lightning Framework comprises two main modules Lightning[.]Downloader and Lightning[.]Core.
- Lightening.Core is the main module of the framework, which receives commands (C2) and executes its plugins.
- Lightning[.]Downloader is a downloader component to download and install other modules and plugins.
- As for downloaded plugins, the framework supports multiple plugins, including Linux.Plugin.RootkieHide, Linux.Plugin.Kernel, and Linux.Plugin.Lightning.iptraf, among others.
Additional capabilities
The Lightening.Core module (kkdmflush) uses a number of techniques to mask artifacts to stay undetected for longer and attain persistence.
- Methods to hide include tampering with the malicious artifacts' timestamps with time stomping and hiding its Process ID (PID) and related network ports using one of the deployed rootkits.
- For persistence, it creates a script named elastisearch at /etc/rc[.]d/init[.]d/ location that runs every time the system boots to execute the downloader module and re-infect the device.
Conclusion
Lightning Framework is a potential Linux malware that can backdoor or compromise devices, and stands as a deadly threat to the security community. Stay safe using a reliable anti-malware solution and let’s not skip on threat intel platforms to mitigate such emerging threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9a61_shutterstock_754380361.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_362210756.jpg)
