Insights, news, education and announcements from PolySwarm

Lightning Framework

Written by PolySwarm Tech Team | Sep 1, 2022 4:30:19 PM



Executive Summary

Intezer recently reported on Lightning Framework, a Linux malware with modular plugins and the ability to install rootkits.

Key Takeaways

  • Lightning Framework is a modular malware targeting Linux machines.
  • It has multiple plugins and is capable of installing rootkits. 
  • Lightning Framework uses multiple methods to evade detection.
What is Lightning Framework?

Lightning Framework is an intricate modular malware developed to target Linux systems. It is capable of installing rootkits and running various plugins. Lightning Framework gives the threat actors options for both active and passive communication, including opening SSH on victim machines and a polymorphic C2 configuration. Lightning Framework includes several modules described below.

Lightning Framework Modules

Lightning.Downloader
Lightning.Downloader, named kbioset on disk, is a persistent module that downloads the core module and plugins. It also executes the core module. Lightning Framework uses typosquatting and masquerading to evade detection.

Lightning.Core
Lightning.Core, named kkdmflush on disk, is the main module. It receives commands from the C2 and executes plugin modules. It is capable of hiding artifacts to evade detection and masquerades as a kernel thread. This core module maintains persistence by creating a script that is executed on system boot. Core module commands include the following:
  • SystemInfo - fingerprints the machine
  • PureShellCommand - runs Shell command
  • RunShellPure - starts the Linux.Plugin.Lightning.Sshd plugin
  • CloseShellPure -  terminates Linux.Plugin.Lightning.Sshd 
  • Disconnect - exits the core module
  • GetRemotePathInfo - collects the summary of a given path
  • KeepAlive - no action performed, but the connection remains alive
  • UploadFileHeader - checks file access
  • FileEdit - gets file contents and time meta
  • TryPassSSH - adds a public key to root/.ssh/authorized_keys
  • DeleteVecFile - deletes a file or path
  • PreDownloadFile - calculates a file’s checksum
  • DownloadFile - sends a file to the C2
  • DeleteGuid - deletes Lightning Framework
  • UpdateVersion - calls the Downloader module to update the framework
  • UpdateRemoteVersion - updates the framework
  • Socks5 - sets up a Socks5 proxy
  • RestorePlug - performs the same as UpdateVersion
  • GetDomainSetting - fetiches malleable C2 configuration file contents
  • SetDomainSetting - updates malleable C2 configuration file contents
  • InstallKernelHide - fetches OS release 
  • RemoveKernelHide - removes kernel module
  • UpdateKernelVersion - removes kernel module and runs uname -r
  • OverrideFile - overwrites a file
  • UploadFileContent - writes data sent from the server to a file
  • LocalPluginRequest - writes the LD_PRELOAD rootkit or LKM rootkit

Linux.Plugin.Lightning.SsHijacker
Linux.Plugin.Lightning.SsHijacker, named soss on disk, is referenced but not found.

Linux.Plugin.Lightning.Sshd
Linux.Plugin.Lightning.Sshd, named sshod on disk, is OpenSSH with hardcoded private and host keys.

Linux.Pugin.Lightning.Nethogs
Linux.Pugin.Lightning.Nethogs, named nethoogs on disk, is referenced but not found. According to Intezer, it is presumably Nethogs.

Linux.Plugin.Lightning.iftop
Linux.Plugin.Lightning.iftop, named iftoop on disk, is referenced but not found. According to Intezer, it is presumably iftop.

Linux.Plugin.Lightning.iptraf
Linux.Plugin.Lightning.iptraf, named iptraof on disk, is referenced but not found. According to Intezer, it is presumably IPTraf.

Linux.Plugin.RootkieHide
Linux.Plugin.RootkieHide, named libsystemd.so.2 on disk, is referenced but not found. Intezer notes it refers to LD_PRELOAD Rootkit.

Linux.Plugin.Kernel
Linux.Plugin.Kernel, named elasticsearch.ko on disk, is referenced but not found. Intezer notes it refers to LKM Rootkit.

Lightning Framework C2 Communication

The Core and Downloader modules communicate with the C2 over TCP sockets, with the data structured in JSON. C2 information is stored in a polymorphic encoded configuration file that is unique each time it is created. This makes the configuration file difficult to detect, as hashes cannot be used for detection. The threat actor can also choose to use passive communication by executing the RunShellPure command. This uses the Linux.Plugin.Lightning.Sshd to start an SSH service on the victim machine. The OpenSSH daemon  has hardcoded private and host keys, allowing the threat actor to SSH into the machine with their own SSH key, creating a secondary backdoor.

Intezer stated they had not yet observed Lightning Framework being used for attacks in the wild.

IOCs

PolySwarm has multiple samples associated with Lightning Framework.

48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7 

ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237

fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e


You can use the following CLI command to search for all LightningFramework samples in our portal:

$ polyswarm link list -f LightningFramework

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
View full post