New Linux Malware Lightning Framework Installs Backdoors and Rootkits

Linux malware Lightning Framework

Intezer analysts call the new Linux malware Lightning Framework a real “Swiss knife” because of its modular architecture, as well as the ability to install rootkits and backdoors.

Let me remind you that we also talked about New RedAlert Ransomware that Targets Windows and Linux VMware ESXi Servers, and also that Information Security Experts Told About The Linux Malware Symbiote That Is Almost Undetectable.

The framework has both passive and active capabilities for communicating with the attacker, including opening SSH on the infected machine, as well as polymorphic and flexible configuration for C&C.Intezer specialist Ryan Robinson says.

It appears that the malware has not yet been used in real attacks, but the researchers managed to study some of its components, and they say that the rest “still needs to be found and analyzed.”

It is known that the Lightning Framework has a fairly simple structure: the main loader component (kbioset), which downloads and installs other malware modules and plugins on compromised devices, including the main module (kkdmflush).

Linux malware Lightning Framework

The main task of the main module is to establish communication with the manager and receive the commands necessary to execute various plugins, as well as to hide the presence on the compromised machine. For example, the malware uses typesquatting to disguise itself and disguises itself as the Seahorse password and key manager.

Other cloaking methods include changing the timestamps of malicious artifacts using timestomping, and hiding the PID and any associated network ports using one of several rootkits that the Lightning Framework is able to deploy. The malware can gain a foothold in the system by creating a script called elastisearch in /etc/rc.d/init.d/, which will be executed at each system boot and run the bootloader module again to re-infect the device.

In addition, the Lightning Framework adds its own SSH-based backdoor to the infected system: it launches an SSH server using one of the downloaded plugins (Linux.Plugin.Lightning.Sshd). As a result, this will allow attackers to connect to infected machines via SSH using their own SSH keys.

The Lightning Framework is an interesting piece of malware because it’s rare to see such a massive platform built for Linux. While we don’t have all the files, we can conclude about some of the missing features based on the lines and code of the modules we have.”Robinson summarizes.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.