- A new Linux malware has been discovered by the researchers of Intezer, an automated cyber-security company.
- The Lightning Framework malware can install different types of rootkits on the target Linux-based systems.
- This malware has a modular architecture and can run plugins as well; Intezer mentions the malware as “Swiss Army Knife-like” because of these capabilities.
The researchers of an automated security company, Intezer, have published a whitepaper regarding a new Linux malware. The malware is named Lightning Framework by the researchers and mentioned as a “Swiss Army Knife-like” because of its modular architecture and capability of installing rootkits.
Different types of rootkits
Lightning Framework malware has the ability to install different types of rootkit and can run plugins. It has both active and passive capabilities of communication with the threat actor. You can see the architecture of the malware and the modules below:
| Name | Name on Disk | Description |
| Lightning.Downloader | kbioset | The persistent module that downloads the core module and its plugins |
| Lightning.Core | kkdmflush | The main module of the Lightning Framework |
| Linux.Plugin.Lightning.SsHijacker | soss | There is a reference to this module but no sample found in the wild yet. |
| Linux.Plugin.Lightning.Sshd | sshod | OpenSSH with hardcoded private and host keys |
| Linux.Plugin.Lightning.Nethogs | nethoogs | There is a reference to this module but no sample found in the wild yet. Presumably the software Nethogs |
| Linux.Plugin.Lightning.iftop | iftoop | There is a reference to this module but no sample found in the wild yet. Presumably the software iftop |
| Linux.Plugin.Lightning.iptraf | iptraof | There is a reference to this module but no sample found in the wild yet. Presumably the software IPTraf |
| Linux.Plugin.RootkieHide | libsystemd.so.2 | There is a reference to this module but no sample found in the wild yet. LD_PRELOAD Rootkit |
| Linux.Plugin.Kernel | elastisearch.ko | There is a reference to this module but no sample found in the wild yet. LKM Rootkit |
The core module of the Lightning Framework establishes the communication with the C2 server and fetches necessary commands that are required to execute the plugins. It has many capabilities and it utilizes several techniques to hide. It also creates a script to run on the system boot which enables its persistency.
The Core and the Downloader modules establish their network communications over TCP sockets and use JSON data structure. The C2 is also stored in a polymorphic encoded file that is created uniquely each time which makes it harder to detect.