Intezer recently reported on Lightning Framework, a Linux malware with modular plugins and the ability to install rootkits.
- Lightning Framework is a modular malware targeting Linux machines.
- It has multiple plugins and is capable of installing rootkits.
- Lightning Framework uses multiple methods to evade detection.
Lightning Framework is an intricate modular malware developed to target Linux systems. It is capable of installing rootkits and running various plugins. Lightning Framework gives the threat actors options for both active and passive communication, including opening SSH on victim machines and a polymorphic C2 configuration. Lightning Framework includes several modules described below.
Lightning Framework Modules
Lightning.Downloader, named kbioset on disk, is a persistent module that downloads the core module and plugins. It also executes the core module. Lightning Framework uses typosquatting and masquerading to evade detection.
Lightning.Core, named kkdmflush on disk, is the main module. It receives commands from the C2 and executes plugin modules. It is capable of hiding artifacts to evade detection and masquerades as a kernel thread. This core module maintains persistence by creating a script that is executed on system boot. Core module commands include the following:
- SystemInfo - fingerprints the machine
- PureShellCommand - runs Shell command
- RunShellPure - starts the Linux.Plugin.Lightning.Sshd plugin
- CloseShellPure - terminates Linux.Plugin.Lightning.Sshd
- Disconnect - exits the core module
- GetRemotePathInfo - collects the summary of a given path
- KeepAlive - no action performed, but the connection remains alive
- UploadFileHeader - checks file access
- FileEdit - gets file contents and time meta
- TryPassSSH - adds a public key to root/.ssh/authorized_keys
- DeleteVecFile - deletes a file or path
- PreDownloadFile - calculates a file’s checksum
- DownloadFile - sends a file to the C2
- DeleteGuid - deletes Lightning Framework
- UpdateVersion - calls the Downloader module to update the framework
- UpdateRemoteVersion - updates the framework
- Socks5 - sets up a Socks5 proxy
- RestorePlug - performs the same as UpdateVersion
- GetDomainSetting - fetiches malleable C2 configuration file contents
- SetDomainSetting - updates malleable C2 configuration file contents
- InstallKernelHide - fetches OS release
- RemoveKernelHide - removes kernel module
- UpdateKernelVersion - removes kernel module and runs uname -r
- OverrideFile - overwrites a file
- UploadFileContent - writes data sent from the server to a file
- LocalPluginRequest - writes the LD_PRELOAD rootkit or LKM rootkit
Linux.Plugin.Lightning.SsHijacker, named soss on disk, is referenced but not found.
Linux.Plugin.Lightning.Sshd, named sshod on disk, is OpenSSH with hardcoded private and host keys.
Linux.Pugin.Lightning.Nethogs, named nethoogs on disk, is referenced but not found. According to Intezer, it is presumably Nethogs.
Linux.Plugin.Lightning.iftop, named iftoop on disk, is referenced but not found. According to Intezer, it is presumably iftop.
Linux.Plugin.Lightning.iptraf, named iptraof on disk, is referenced but not found. According to Intezer, it is presumably IPTraf.
Linux.Plugin.RootkieHide, named libsystemd.so.2 on disk, is referenced but not found. Intezer notes it refers to LD_PRELOAD Rootkit.
Linux.Plugin.Kernel, named elasticsearch.ko on disk, is referenced but not found. Intezer notes it refers to LKM Rootkit.
Lightning Framework C2 Communication
The Core and Downloader modules communicate with the C2 over TCP sockets, with the data structured in JSON. C2 information is stored in a polymorphic encoded configuration file that is unique each time it is created. This makes the configuration file difficult to detect, as hashes cannot be used for detection. The threat actor can also choose to use passive communication by executing the RunShellPure command. This uses the Linux.Plugin.Lightning.Sshd to start an SSH service on the victim machine. The OpenSSH daemon has hardcoded private and host keys, allowing the threat actor to SSH into the machine with their own SSH key, creating a secondary backdoor.
Intezer stated they had not yet observed Lightning Framework being used for attacks in the wild.
PolySwarm has multiple samples associated with Lightning Framework.
You can use the following CLI command to search for all LightningFramework samples in our portal:
$ polyswarm link list -f LightningFramework
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports