New Undetected Swiss Army Knife Linux Malware Installs Rootkits, Backdoors

The Lightning Framework is a new malware that has previously gone undetected and targets Linux systems with its malicious code. Infected devices can be backdoored using SSH using this program as well as multiple types of rootkits can be deployed with it.

Lightning Framework is described as a ‘Swiss Army Knife’ by the experts of Intezer security firm. Because of its modularity, as well as its support for plugins, it has been described as a ‘Swiss Army Knife.’

In addition, some of its components have not yet been found or analyzed, so there is still a long way to go before the experts can uncover this malware in the wild.

Technical Analysis

In addition to being built in a simple way, Lightning Framework is integrated with typosquatting. It is important to know that Lightning Framework uses a disguised identity to evade detection on installed systems by masquerading as Seahorse GNOME password manager and encryption key manager.

Lightning Framework pulls its core module and plugins after it retrieves the information from its core module’s configuration file. This is stored in a configuration file that is undetectable and polymorphic encoded, used to communicate with the C2 server.

As the primary module of the framework, the core module (kkdmflush) is the module that is responsible for receiving commands from the malware’s command and control server and is also responsible for executing the plugins of the malware.

By using an SSH server that is started from one of the downloaded plugins (Linux.Plugin.Lightning.Sshd), the malware adds its own SSH-based backdoor.

Plugins Used

Here below we have mentioned all the plugins used by the malware:-

• Linux.Plugin.Lightning.SsHijacker
• Linux.Plugin.Lightning.Sshd
• Linux.Plugin.Lightning.Nethogs
• Linux.Plugin.Lightning.iftop
• Linux.Plugin.Lightning.iptraf
• Lightning.Core

Commands Used

Here below we have mentioned all the commands used along with their description:-

• SystemInfo: Fingerprints the machine
• PureShellCommand: Runs Shell command
• RunShellPure: Starts the Linux.Plugin.Lightning.Sshd (SSH Daemon) plugin
• CloseShellPure: Terminates the Linux.Plugin.Lightning.Sshd plugin
• Disconnect: Exits the Core module
• GetRemotePathInfo: Collects the summary of given path
• KeepAlive: No action, connection remains alive
• UploadFileHeader: Checks access of file
• FileEdit: Gets contents of file and time meta
• TryPassSSH: Adds a public key to the root/.ssh/authorized_keys file
• DeleteVecFile: Deletes the specified file or path
• PreDownloadFile: Calculates a checksum of the file
• DownloadFile: Sends a file to the C2
• DeleteGuid: Removes the framework
• UpdateVersion: Calls the Downloader module to update the framework
• UpdateRemoteVersion: Updates the framework including the downloader
• Socks5: Sets up a Socks5 proxy
• RestorePlug: The same as UpdateVersion
• GetDomainSetting: Fetches the contents of the malleable C2 configuration file (cpc)
• SetDomainSetting: Updates the contents of the malleable C2 configuration file (cpc)
• InstallKernelHide: Fetches the OS release
• RemoveKernelHide: Removes kernel module
• UpdateKernelVersion: Removes the kernel module and runs uname -r
• OverrideFile: Overwrites specified file
• UploadFileContent: Writes data sent from server to file
• LocalPluginRequest: Either write the LD_PRELOAD rootkit or LKM rootkit

As part of a recent malware strain that has surfaced, Lightning Framework is one of the latest strains to be identified. Using this malware variant, it is possible to completely compromise and backdoor a device.

There is no doubt that the discovery of Lightning Framework clearly illustrates the fact that Linux malware is being used more and more by threat actors in recent years.

You can follow us on Linkedin, Twitter