A previously undetected malware dubbed ‘Lightning Framework’ that targets Linux systems can be used to backdoor infected devices using SSH and deploy rootkits to cover the attackers’ tracks.
Described as a “Swiss Army Knife” in a report published today by Intezer, Lightning Framework is a modular malware that also comes with support for plugins.
“The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration,” Intezer security researcher Ryan Robinson said.
This malware is yet to be spotted in the wild, and some of its components (referenced in the source code) are yet to be found and analyzed.
Lightning Framework is built using a simple structure: a downloader component that will download and install the malware’s other modules and plugins, including its core module, on compromised Linux devices.
The malware uses typosquatting and will masquerade as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
After reaching out to its command-and-control (C2) server over TCP sockets using C2 info stored in undetectable polymorphic encoded configuration files, Lightning Framework fetches its plugins and the core module.
Lightning framework layout (Intezer)
This core module (kkdmflush) is the framework’s main module and is the one the malware uses to receive commands from its C2 server and to execute its plugins.
“The module has many capabilities and uses a number of techniques to hide artifacts to remain running under the radar,” Robinson added.
Other methods to hide its presence include altering malicious artifacts’ timestamps using timestomping and hiding its Process ID (PID) and any related network ports using one of several rootkits it can deploy.
It can also achieve persistence by creating a script named elastisearch under at /etc/rc.d/init.d/ that gets executed on each system boot to launch the downloader module and reinfect the device.
Last but not least, this malware will also add its own SSH-based backdoor by starting an SSH server using one of the downloaded plugins (Linux.Plugin.Lightning.Sshd).
The newly launched OpenSSH daemon has hardcoded private and host keys, enabling attackers to SSH into the infected machines using their own SSH keys.
“The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux,” Robinson concluded.
“Although we do not have all the files, we can infer some of the missing functionality based on strings and code of the modules that we do possess.”
Signs of a Linux malware surge?
Lightning Framework is just the latest Linux malware strain capable of fully compromising and backdooring devices that surfaced recently.
Intezer security researchers have also spotted OrBit, a stealthy malware that hijacks shared libraries to intercept function calls to steal information from backdoored Linux systems and infect all running processes.
Symbiote, another malware targeting Linux devices jointly analyzed by BlackBerry and Intezer researchers, acts as a system-wide parasite leaving no signs of infection and uses the same tactic to load itself into running processes.
Researchers have also spotted a stealthy backdoor named BPFDoor has been stealthily targeting Linux and Solaris systems undetected for over five years, bypassing firewalls for remote access.
A fourth Linux malware strain, a rootkit dubbed Syslogk unveiled by Avast researchers last month, has the capability to force-load its modules into the Linux kernel, backdoor infected machines, and hide network traffic and artifacts to evade detection.
“Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets,” Robinson said.
“With the rise in use of the cloud, it is no wonder that malware innovation is still accelerating at breakneck speed in this realm.”