CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Intezer Documents Powerful ‘Lightning Framework’ Linux Malware

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.

Dubbed Lightning Framework, the threat is described as a Swiss Army Knife-like piece of malware that has a modular design and a plethora of capabilities rarely seen in malware targeting Linux systems.

The malware architecture includes a downloader, a core module, and multiple plugins that expand its functionality, some of which are open source tools, according to documentation published by Intezer.

The framework uses different modules for persistence, SSH connection (using OpenSSH with hardcoded keys), network traffic analysis (open source Nethogs) and observation (iftop), and IP network monitoring (IPTraf). Two rootkit modules are also referenced in the framework’s code.

The infection chain begins with the downloader module executing the core module and dropping additional components.

[ READ: How Linux Became the New Bullseye for Bad Guys ]

The downloader checks if it runs from a specific working directory and relocates itself to it if not, and can fingerprint the host name and network adapters – to generate a GUID that it sends to the command-and-control (C&C) server.

According to Intezer, the malware attempts to remain undetected by using typosquatting and masquerading with referencing seahorses to masquerade the seahorse password and key manager.

Advertisement. Scroll to continue reading.

Lightning’s core module can execute plugins, supports commands received from the C&C server, and achieves persistence by creating a script to run the downloader at system boot. It also generates a GUID using the same technique as the downloader.

To avoid detection, the malware changes the name of the calling thread to kdmflush – to pose as a kernel thread, modifies the timestamps of the persistency script and of other files to match that of whoami, find, or su, and hides its Process ID (PID) and related network ports.

Based on commands from the server, the core module can fingerprint the machine, run shell commands, execute plugins, check access to a file, verify and write file contents, delete files or paths, terminate its process, remove the framework, update the framework using the downloader, fetch a configuration file, overwrite files, or write one of the two rootkits.

Lightning uses TCP sockets for network communication, with the C&C stored in a polymorphic encoded configuration file unique for each creation, to avoid detection. A passive communication mode is also supported, using the OpenSSH daemon with hardcoded keys, which essentially creates a secondary backdoor.

Related: Avast: New Linux Rootkit and Backdoor Align Perfectly

Related: Highly-Evasive Linux Malware ‘Symbiote’ Infects All Running Processes

Related: Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group

Related: How Linux Became the New Bullseye for Bad Guys 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.