The software program framework has grow to be important to growing nearly all advanced software program lately. The Django Net framework, as an illustration, bundles all of the libraries, picture recordsdata, and different elements wanted to shortly construct and deploy net apps, making it a mainstay at firms like Google, Spotify, and Pinterest. Frameworks present a platform that performs frequent capabilities like logging and authentication shared throughout an app ecosystem.
Final week, researchers from safety agency Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented till now. Lightning Framework is post-exploit malware, which means it will get put in after an attacker has already gained entry to a focused machine. As soon as put in, it may present a number of the similar efficiencies and velocity to Linux compromises that Django gives for net growth.
“It’s uncommon to see such an intricate framework developed for focusing on Linux programs,” Ryan Robinson, a safety researcher at Intezer, wrote in a put up. “Lightning is a modular framework we found that has a plethora of capabilities, and the flexibility to put in a number of kinds of rootkit, in addition to the aptitude to run plugins.”
Lightning consists of a downloader named Lightning.Downloader and a core module named Lightning.Core. They hook up with a chosen command and management server to obtain software program and obtain instructions, respectively. Customers can then run any of at the very least seven modules that do every kind of different nefarious issues. Capabilities embody each passive and lively communications with the risk actor, together with opening a safe shell on the contaminated machine and a polymorphic malleable command.
The framework has each passive and lively capabilities for communication with the risk actor, together with opening up SSH on an contaminated machine, and assist for connecting to command and management servers that use malleable profiles. Malware frameworks have existed for years, however there aren’t many who present a lot complete assist for the hacking of Linux machines.
In an e mail, Robinson stated Intezer discovered the malware on VirusTotal. He wrote:
The entity that submitted it seems to be associated to a Chinese language manufacturing organisation that makes small motor home equipment. We discovered this based mostly on different submissions from the identical submitter. I fingerprinted the server that we used to determine the corporate and so they have been certainly utilizing Centos (which the malware was compiled for). However this nonetheless shouldn’t be stable sufficient to conclude that they have been the targets or contaminated with the malware. We’ve not realized something new because the publication. The perfect factor which we hope to seek out is without doubt one of the encrypted malleable C2 configuration profiles. It could give us community IOCs to carry out pivoting off.
Intezer was in a position to receive elements of the framework however not all the pieces. From the recordsdata the corporate researchers have been in a position to analyze, they might infer the presence of different modules. The corporate offered the next overview:
|Title||Title on Disk||Description|
|Lightning.Downloader||kbioset||The persistent module that downloads the core module and its plugins|
|Lightning.Core||kkdmflush||The principle module of the Lightning Framework|
|Linux.Plugin.Lightning.SsHijacker||soss||There’s a reference to this module however no pattern discovered within the wild but.|
|Linux.Plugin.Lightning.Sshd||sshod||OpenSSH with hardcoded personal and host keys|
|Linux.Plugin.Lightning.Nethogs||nethoogs||There’s a reference to this module however no pattern discovered within the wild but. Presumably the software program Nethogs|
|Linux.Plugin.Lightning.iftop||iftoop||There’s a reference to this module however no pattern discovered within the wild but. Presumably the software program iftop|
|Linux.Plugin.Lightning.iptraf||iptraof||There’s a reference to this module however no pattern discovered within the wild but. Presumably the software program IPTraf|
|Linux.Plugin.RootkieHide||libsystemd.so.2||There’s a reference to this module however no pattern discovered within the wild but. LD_PRELOAD Rootkit|
|Linux.Plugin.Kernel||elastisearch.ko||There’s a reference to this module however no pattern discovered within the wild but. LKM Rootkit|
To date there aren’t any identified situations of the Lightning Framework being actively used within the wild. Then once more, given the abundance of obtainable capabilities, state-of-the-art stealth is undoubtedly a part of the package deal.