Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Intezer Documents Powerful ‘Lightning Framework’ Linux Malware

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Dubbed Lightning Framework, the threat is described as a Swiss Army Knife-like piece of malware that has a modular design and a plethora of capabilities rarely seen in malware targeting Linux systems.

The malware architecture includes a downloader, a core module, and multiple plugins that expand its functionality, some of which are open source tools, according to documentation published by Intezer.

The framework uses different modules for persistence, SSH connection (using OpenSSH with hardcoded keys), network traffic analysis (open source Nethogs) and observation (iftop), and IP network monitoring (IPTraf). Two rootkit modules are also referenced in the framework’s code.

The infection chain begins with the downloader module executing the core module and dropping additional components.

[ READ: How Linux Became the New Bullseye for Bad Guys ]

The downloader checks if it runs from a specific working directory and relocates itself to it if not, and can fingerprint the host name and network adapters – to generate a GUID that it sends to the command-and-control (C&C) server.

According to Intezer, the malware attempts to remain undetected by using typosquatting and masquerading with referencing seahorses to masquerade the seahorse password and key manager.

Lightning’s core module can execute plugins, supports commands received from the C&C server, and achieves persistence by creating a script to run the downloader at system boot. It also generates a GUID using the same technique as the downloader.

To avoid detection, the malware changes the name of the calling thread to kdmflush – to pose as a kernel thread, modifies the timestamps of the persistency script and of other files to match that of whoami, find, or su, and hides its Process ID (PID) and related network ports.

Based on commands from the server, the core module can fingerprint the machine, run shell commands, execute plugins, check access to a file, verify and write file contents, delete files or paths, terminate its process, remove the framework, update the framework using the downloader, fetch a configuration file, overwrite files, or write one of the two rootkits.

Lightning uses TCP sockets for network communication, with the C&C stored in a polymorphic encoded configuration file unique for each creation, to avoid detection. A passive communication mode is also supported, using the OpenSSH daemon with hardcoded keys, which essentially creates a secondary backdoor.

Related: Avast: New Linux Rootkit and Backdoor Align Perfectly

Related: Highly-Evasive Linux Malware ‘Symbiote’ Infects All Running Processes

Related: Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group

Related: How Linux Became the New Bullseye for Bad Guys 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.