A new, previously undetected, Linux malware known as ‘Lightning Framework’ can be used as a backdoor to install rootkits in infected devices via Secure Shell (SSH). A report released by Intezer this week calls this malware “Swiss Army Knife-like” due to its wide range of capabilities, and ability to use techniques to avoid detection and hide artifacts.   

The Lightning Framework includes a downloader to install the other modules and plugins needed for the malware to run, including execution of the core module. The use of typosquatting (also known as cybersquatting) as an evasion technique helps the malware remain undetected on the infected device. In the case of this Linux malware, references are made to ‘seahorses’ in order to masquerade as the password and key manager software Seahorse, by relocating itself to the working directory ‘/usr/lib64/seahorses/’, where it names itself ‘kbioset’. 

A fingerprint is collected by the downloader of the host name and network, generating a globally unique identifier (GUID), which is then sent to a command and control (C2) server. The C2 server provides the downloader with the remaining modules and plugins, some of which contain open-source code, to continue the attack. The core module executes the plugins and changes the name of the calling thread to ‘kdmflush’ to misidentify the malware as a kernel thread. The framework can now run Shell command, utilising the Linux.Plugin.Lightning.Sshd (SSH Daemon) plugin as its own SSH backdoor. This allows the attackers to run their own SSH keys on infected devices.  

Although no attacks using this malware have been confirmed in the wild, it is concerning to Linux users to see a framework this large and sophisticated that has been developed to target them directly. Linux environments have been targeted increasingly by malware attacks in the past year, identified by IBM as being targeted as a route for attackers to more easily cross cloud environments.