Threat Research

Lightning Framework: New “Swiss Army Knife” Linux Malware

Securonix

Lightning Framework is a modular, undetected Linux malware framework with a downloader, core, and multiple plugins, including rootkit-capable components, that can communicate with a threat actor via a malleable C2 configuration. It leverages typosquatting, persistence via init.d, hardcoded SSH keys, and a configurable TCP-based C2 to maintain control and evade detection.
#LightningFramework #LinuxRootkit #OpenSSH #InitD #Socks5Proxy #Intezer #IBM #SentinelOne

Keypoints

  • Lightning Framework is a substantial, modular Linux malware architecture with a downloader, a core component, and plugins, including rootkit-capable modules.
  • The downloader uses typosquatting and masquerading, checks /usr/lib64/seahorses/kbioset, and fingerprints the host to generate a GUID sent to the C2.
  • Core module receives commands from the C2, can execute plugins, and hides artifacts by changing thread names and other techniques.
  • Persistence is achieved via a boot-time init.d script (elastisearch) created to relaunch the downloader, with timestomping used to hide artifacts.
  • Rootkits (LD_PRELOAD and LKM) are used, and PIDs/ports are hidden, with indicators like hpi/hpo files and proc/y.y signaling rootkit presence.
  • OpenSSH backdoor capabilities are exposed through the Sshd plugin, including hardcoded keys for remote access; a passive mode can expose an SSH service.
  • The C2 profile is encoded/decoded (dynamic XOR) and stored as a malleable configuration, with default C2 at 10.2.22.67:33229, enabling data exfiltration and proxying.

MITRE Techniques

  • [T1037] Boot or Logon Initialization Scripts – An init.d script is used for persistence of downloader module. ‘An init.d script is used for persistence of downloader module’
  • [T1098.004] SSH Authorized Keys – SSH keys can be added to the authorized_keys file. ‘Adds a public key to the root/.ssh/authorized_keys’
  • [T1027] Obfuscated Files or Information – The C2 profile is encoded on disk. ‘The C2 profile is encoded on disk’
  • [T1140] Deobfuscate/Decode Files or Information – The C2 profile is decoded with a dynamic XOR algorithm. ‘The C2 profile is decoded with a dynamic XOR algorithm’
  • [T1564] Hide Artifacts – Many artifacts are hidden including ports, PIDs, and file timestamps. ‘Many artifacts are hidden including ports, PIDs, and file timestamps’
  • [T1036] Masquerading – Many files are masqueraded as other files or tasks. ‘Many files are masqueraded as other files or tasks’
  • [T1014] Rootkit – LKM and LD_PRELOAD rootkits are used. ‘LKM and LD_PRELOAD rootkits are used’
  • [T1070.006] Timestomp – Files created by Lightning are modified to match that of other utilities. ‘Files created by Lightning are modified to match that of other utilities’
  • [T1070.004] File Deletion – The framework has the ability to remove itself. ‘The framework has the ability to remove itself’
  • [T1083] File and Directory Discovery – The framework can list files and directories on infected systems. ‘The framework can list files and directories on infected systems’
  • [T1046] Network Service Discovery – Multiple plugins can be used to perform network service discovery. ‘Multiple plugins can be used to perform network service discovery’
  • [T1040] Network Sniffing – Multiple plugins can be used to perform network sniffing. ‘Multiple plugins can be used to perform network sniffing’
  • [T1082] System Information Discovery – Lightning can perform detailed system fingerprinting. ‘Lightning can perform detailed system fingerprinting’
  • [T1132] Data Encoding – Data from the C2 is encoded. ‘Data from the C2 is encoded’
  • [T1095] Non-Application Layer Protocol – Communication with the C2 is performed over TCP. ‘Communication with the C2 is performed over TCP’
  • [T1090] Proxy – The framework has the ability to start a Socks5 proxy. ‘The framework has the ability to start a Socks5 proxy’
  • [T1041] Exfiltration Over C2 Channel – Data can be exfiltrated. ‘Data can be exfiltrated’

Indicators of Compromise

  • [IP/Domain] C2 address – 10.2.22.67 (default config IP) and associated port 33229. ‘default configuration uses a local IP address 10.2.22[.]67 with the port 33229’
  • [File/Path] Downloader and persistence artifacts – /usr/lib64/seahorses/kbioset, /etc/rc.d/init.d/elastisearch
  • [File/Path] Rootkit indicators – proc/y.y, hpi, hpo
  • [File/Path] Modules and plugins – kbioset, kkdmflush, soss, sshod, nethoogs, iftoop, iptraof, libsystemd.so.2, elastisearch.ko
  • [SSH Key] Hardcoded SSH keys inside modified OpenSSH daemon – Hardcoded private and host keys
  • [Service] Init script/service creation – init.d/elastisearch with chkconfig
  • [Configuration] C2 profile and malleable config – cpc (encoded JSON config) and default C2 configuration
  • [Process] Rootkit indicators – PID hiding and related artifacts via hpi/hpo and proc/y.y

Read more: https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/