Researchers from Intezer discovered a previously undetected malware, tracked as Lightning Framework, which targets Linux systems. The malicious code has a modular structure and is able to install rootkits.
“Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.” reads the report published by the experts. “It is rare to see such an intricate framework developed for targeting Linux systems.”
The Lightning framework could install multiple types of rootkit and run different plugins. The framework is able to open SSH on an infected machine.
The framework is composed of a downloader and a core module, it could expand its capabilities using a number of plugins, some of them are open-source tools.
The main function of the downloader is to fetch the other components and execute the core module. The core module was designed to receive commands from the Commend and Control and execute the plugins.
This malware is yet to be spotted in the wild, and some of its components (referenced in the source code) are yet to be found and analyzed.
The malware uses typosquatting to avoid detection, for example, the downloader masquerades as the Seahorse GNOME password and encryption key manager to evade detection.
Both Core and Downloader modules communicate with C2 over TCP sockets while data are in JSON structures.
“The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file.” reads the analysis.
The framework can also uses a passive mode of communication if the operators executes the RunShellPure command. This starts an SSH service on the infected machine using the Linux.Plugin.Lightning.Sshd plugin, which is an OpenSSH daemon that has hardcoded private and host keys. The operators can open up SSH into the infected machine using their own SSH key.
Experts noticed that the malware also hides its presence by modifying malicious artifacts’ timestamps using timestomping. The files have their last modified time edited to match that of either whoami, find, or su. The framework also hides its Process ID (PID) and any related network ports using one of the rootkits it can deploy.
The core module achieves persistence by creating a script, named elastisearch, under at /etc/rc.d/init.d/ that is executed upon system boot. The name seems typosquat elasticsearch.
“The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux. Although we do not have all the files, we can infer some of the missing functionality based on strings and code of the modules that we do possess.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Zyxel)