A prior to now unknown malware, Lightning Framework, has been noticed concentrated on Linux programs. The framework can be utilized to backdoor units the usage of SSH and ship various kinds of rootkits.
Lightning Framework
In line with Intezer, Lightning Framework is a modular malware that incorporates passive and lively functions for communique with the attacker.
- The malware opens SSH on an inflamed device and helps polymorphic malleable command and regulate configuration. At this time, parts referenced within the supply code are but to be came upon.
- The framework makes use of typosquatting and masquerades because the Seahorse GNOME password and encryption key supervisor to keep away from being detected at the inflamed programs.
Malware structure
Lightning Framework contains two primary modules Lightning[.]Downloader and Lightning[.]Core.
- Lightening.Core is the primary module of the framework, which receives instructions (C2) and executes its plugins.
- Lightning[.]Downloader is a downloader element to obtain and set up different modules and plugins.
- As for downloaded plugins, the framework helps more than one plugins, together with Linux.Plugin.RootkieHide, Linux.Plugin.Kernel, and Linux.Plugin.Lightning.iptraf, amongst others.
Further functions
The Lightening.Core module (kkdmflush) makes use of quite a few ways to masks artifacts to stick undetected for longer and accomplish patience.
- Tips on how to cover come with tampering with the malicious artifacts’ timestamps with time stomping and hiding its Procedure ID (PID) and comparable community ports the usage of probably the most deployed rootkits.
- For patience, it creates a script named elastisearch at /and so forth/rc[.]d/init[.]d/ location that runs each and every time the device boots to execute the downloader module and re-infect the tool.
Conclusion
Lightning Framework is a possible Linux malware that may backdoor or compromise units, and stands as a perilous risk to the safety group. Keep protected the usage of a competent anti-malware resolution and let’s now not skip on risk intel platforms to mitigate such rising threats.
