November 14, 2024

A never-before-seen Linux malware has been dubbed a “Swiss Army Knife” for its modular architecture and its capability to install rootkits.

This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems.

“The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration,” Intezer researcher Ryan Robinson said in a new report published today.

Central to the malware is a downloader (“kbioset”) and a core (“kkdmflush”) module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component.

In addition, the downloader is also responsible for establishing the persistence of the framework’s main module. “The main function of the downloader module is to fetch the other components and execute the core module,” Robinson noted.

The core module, for its part, establishes contact with the command-and-control (C2) server to fetch necessary commands required to execute the plugins, while also taking care to hide its own presence in the compromised machine.

Some of the notable commands received from the server enable the malware to fingerprint the machine, run shell commands, upload files to the C2 server, write arbitrary data to file, and even update and remove itself from the infected host.

It further sets up persistence by creating an initialization script that’s executed upon system boot, effectively allowing the downloader to be automatically launched.

“The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux,” Robinson pointed out.

The discovery of Lightning Framework makes it the fifth Linux malware strain to be unearthed in a short period of three months after BPFDoor, Symbiote, Syslogk, and OrBit.