Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Intezer Documents Powerful ‘Lightning Framework’ Linux Malware

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Dubbed Lightning Framework, the threat is described as a Swiss Army Knife-like piece of malware that has a modular design and a plethora of capabilities rarely seen in malware targeting Linux systems.

The malware architecture includes a downloader, a core module, and multiple plugins that expand its functionality, some of which are open source tools, according to documentation published by Intezer.

The framework uses different modules for persistence, SSH connection (using OpenSSH with hardcoded keys), network traffic analysis (open source Nethogs) and observation (iftop), and IP network monitoring (IPTraf). Two rootkit modules are also referenced in the framework’s code.

The infection chain begins with the downloader module executing the core module and dropping additional components.

[ READ: How Linux Became the New Bullseye for Bad Guys ]

The downloader checks if it runs from a specific working directory and relocates itself to it if not, and can fingerprint the host name and network adapters – to generate a GUID that it sends to the command-and-control (C&C) server.

According to Intezer, the malware attempts to remain undetected by using typosquatting and masquerading with referencing seahorses to masquerade the seahorse password and key manager.

Lightning’s core module can execute plugins, supports commands received from the C&C server, and achieves persistence by creating a script to run the downloader at system boot. It also generates a GUID using the same technique as the downloader.

To avoid detection, the malware changes the name of the calling thread to kdmflush – to pose as a kernel thread, modifies the timestamps of the persistency script and of other files to match that of whoami, find, or su, and hides its Process ID (PID) and related network ports.

Based on commands from the server, the core module can fingerprint the machine, run shell commands, execute plugins, check access to a file, verify and write file contents, delete files or paths, terminate its process, remove the framework, update the framework using the downloader, fetch a configuration file, overwrite files, or write one of the two rootkits.

Lightning uses TCP sockets for network communication, with the C&C stored in a polymorphic encoded configuration file unique for each creation, to avoid detection. A passive communication mode is also supported, using the OpenSSH daemon with hardcoded keys, which essentially creates a secondary backdoor.

Related: Avast: New Linux Rootkit and Backdoor Align Perfectly

Related: Highly-Evasive Linux Malware ‘Symbiote’ Infects All Running Processes

Related: Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group

Related: How Linux Became the New Bullseye for Bad Guys 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.