Analysts from Intezer call the new Linux malware Lightning Framework a real “Swiss knife” because of its modular architecture, as well as the ability to install rootkits and backdoors.
“The framework has both passive and active capabilities for communicating with the attacker, including opening SSH on the infected machine, as well as polymorphic and flexible configuration for C&C,” says Intezer specialist Ryan Robinson.
It appears that the malware has not yet been used in real attacks, but the researchers managed to study some of its components, and they say that the rest “still needs to be found and analyzed.”
It is known that the Lightning Framework has a fairly simple structure: the main loader component (kbioset), which downloads and installs other malware modules and plugins on compromised devices, including the main module (kkdmflush).
The main task of the main module is to establish communication with the manager and receive the commands necessary to execute various plugins, as well as to hide the presence on the compromised machine. For example, the malware uses typesquatting to disguise itself and disguises itself as the Seahorse password and key manager.
Other cloaking methods include changing the timestamps of malicious artifacts using timestomping, and hiding the PID and any associated network ports using one of several rootkits that the Lightning Framework is able to deploy. The malware can gain a foothold in the system by creating a script called elastisearch in /etc/rc.d/init.d/, which will be executed at each system boot and run the bootloader module again to re-infect the device.
In addition, the Lightning Framework adds its own SSH-based backdoor to the infected system: it launches an SSH server using one of the downloaded plugins (Linux.Plugin.Lightning.Sshd). As a result, this will allow attackers to connect to infected machines via SSH using their own SSH keys.
“Lightning Framework is an interesting piece of malware because it’s rare to see such a massive platform built for Linux,” Robinson summarizes. “While we don’t have all the files, we can infer some of the missing features based on the lines and code of the modules we have.”
The latest researches show how important it is to check and verify the Vulnerabilities of Operation Systems.