Security researchers at Intezer are documenting the discovery of a powerful piece of Linux malware that can stay undetected and has the ability to install rootkits.
Dubbed Lightning Framework, the threat is described as a Swiss Army Knife-like piece of malware that has a modular design and a plethora of capabilities rarely seen in malware targeting Linux systems.
The malware architecture includes a downloader, a core module, and multiple plugins that expand its functionality, some of which are open source tools, according to documentation published by Intezer.
The framework uses different modules for persistence, SSH connection (using OpenSSH with hardcoded keys), network traffic analysis (open source Nethogs) and observation (iftop), and IP network monitoring (IPTraf). Two rootkit modules are also referenced in the framework’s code.
The infection chain begins with the downloader module executing the core module and dropping additional components.
The downloader checks if it runs from a specific working directory and relocates itself to it if not, and can fingerprint the host name and network adapters – to generate a GUID that it sends to the command-and-control (C&C) server.
According to Intezer, the malware attempts to remain undetected by using typosquatting and masquerading with referencing seahorses to masquerade the seahorse password and key manager.
Lightning’s core module can execute plugins, supports commands received from the C&C server, and achieves persistence by creating a script to run the downloader at system boot. It also generates a GUID using the same technique as the downloader.
To avoid detection, the malware changes the name of the calling thread to kdmflush – to pose as a kernel thread, modifies the timestamps of the persistency script and of other files to match that of whoami, find, or su, and hides its Process ID (PID) and related network ports.
Based on commands from the server, the core module can fingerprint the machine, run shell commands, execute plugins, check access to a file, verify and write file contents, delete files or paths, terminate its process, remove the framework, update the framework using the downloader, fetch a configuration file, overwrite files, or write one of the two rootkits.
Lightning uses TCP sockets for network communication, with the C&C stored in a polymorphic encoded configuration file unique for each creation, to avoid detection. A passive communication mode is also supported, using the OpenSSH daemon with hardcoded keys, which essentially creates a secondary backdoor.