The software framework has become indispensable for the development of almost all complex software nowadays. For example, the Django web framework bundles together all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay for companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication that are shared across an app ecosystem.
Last week, researchers at security firm Intezer unveiled the Lightning Framework, a previously undocumented modular malware framework for Linux. Lightning Framework is post-exploit malware, meaning it is installed after an attacker has already gained access to a targeted computer. Once installed, it can offer some of the same efficiencies and speeds for Linux compromises that Django offers for web development.
“It’s rare that such a complicated framework has been developed for Linux systems,” wrote Ryan Robinson, a security researcher at Intezer, in a post. “Lightning is a modular framework that we discovered that has a wealth of features and the ability to install multiple types of rootkits as well as run plugins.”
Lightning consists of a downloader called Lightning.Downloader and a core module called Lightning.Core. They connect to a designated command and control server to download software or receive commands. Users can then run any of at least seven modules that do all sorts of other nefarious things. Its capabilities include both passive and active communication with the attacker, including opening a secure shell on the infected computer and a polymorphic malleable command.
The framework has both passive and active capabilities for communicating with the attacker, including opening SSH on an infected computer, and supports connecting to command-and-control servers using flexible profiles. Malware frameworks have been around for years, but there aren’t many that offer such comprehensive support for hacking Linux machines.
In an email, Robinson said Intezer found the malware on VirusTotal. He wrote:
The company that submitted it appears to be affiliated with a Chinese manufacturing company that makes small power tools. We’ve seen this in other submissions from the same submitter. I fingerprinted the server that we used to identify the company and they actually used Centos (which the malware was compiled for). However, this is still not solid enough to conclude that they were the targets or were infected with the malware. We haven’t learned anything new since publication. The ideal we hope to find is one of the scrambled C2 malleable configuration profiles. It would give us network IOCs to pivot off.
Intezer was able to source parts of the framework, but not all. From the files that the company’s researchers were able to analyze, they were able to infer the presence of other modules. The company gave the following overview:
|Surname||name on disk||description|
|Lightning.Downloader||kbioset||The persistent module that downloads the core module and its plugins|
|Lightning.Core||kkdmflush||The main module of the Lightning Framework|
|Linux.Plugin.Lightning.SsHijacker||soss||There is a reference to this module but no specimen found in the wild yet.|
|Linux.Plugin.Lightning.Sshd||shod||OpenSSH with hardcoded private and host keys|
|Linux.Plugin.Lightning.Nethogs||Nethoogs||There is a reference to this module but no specimen found in the wild yet. Probably the software Nethogs|
|Linux.Plugin.Lightning.iftop||iftoop||There is a reference to this module but no specimen found in the wild yet. Probably the software iftop|
|Linux.Plugin.Lightning.iptraf||iptraof||There is a reference to this module but no specimen found in the wild yet. Probably the software IPTraf|
|Linux.Plugin.RootkieHide||libsystemd.so.2||There is a reference to this module but no specimen found in the wild yet. LD_PRELOAD rootkit|
|Linux.Plugin.Kernel||elasticsearch.ko||There is a reference to this module but no specimen found in the wild yet. LKM rootkit|
So far, no instances of the Lightning Framework are known to be actively used in the wild. Given the wealth of features available, cutting-edge camouflage is undoubtedly part of the package.