Lightning Framework, the newest malware threat for Linux OS

August 2, 2022
Lightning Framework Malware Threat Linux OS Open Source Typosquatting Cybersecurity

Researchers eyeing devices that utilise Linux operating systems have spotted the Lightning Framework malware. Based on reports, this malware was unknown to many until a research group analysed a sample rootkit.

The newly discovered framework can be used to backdoor machines that employ SSH and spread several types of rootkits.

Moreover, Lightning Framework forms modular malware that includes active and passive tools for communicating with its operators. As of now, the researchers have yet to uncover the components used by the operators in its source code.

However, they figured out that Lightning Framework utilises typosquatting tactics and impersonates an entity affiliated with the Seahorse GNOME password and encryption key manager to bypass security detections on its compromised systems.

 

Lightning Framework includes a downloader and a core.

 

The researchers’ analysis revealed that the Lightning Framework contained two main modules: Lightning[.]Core and Lightning[.]Downloader. Lightning[.]Downloader is a component that downloads and installs other plugins and modules.

On the other hand, Lightning[.]Core is the main module of the framework. This module’s primary function is to receive commands in the command-and-control server and run its plugins.

The framework also supports several plugins, such as Linux.Plugin.Kernel, Linux.Plugin.Lightning.iptraf, and Linux.Plugin.RootkieHide, for its downloaded plugins, among others.

Furthermore, the Lightning[.]module utilises different strategies to hide artefacts and stay undetected for an extended period on the infected system. Therefore, it can establish persistence and commit another set of infections.

One of the methods of hiding the framework is that the operators tamper with the malicious artefacts’ timestamps with time stomping tactics. The framework can also hide its Process ID and related network ports by utilising one of the launched rootkits.

For establishing persistence, the malware framework develops a script called elastisearch at a particular location that operates every time the infected system boots to run the downloader module and reinfect the device.

Experts can determine how lethal Lightning Framework is against Linux systems. This backdoor poses a significant threat in compromising devices and challenges the cybersecurity landscape. Therefore, cybersecurity experts suggest that users should employ reliable anti-malware solutions and be updated on the latest threat intelligence reports of emerging threats globally.

About the author