New Undetected Swiss Army Knife Linux Malware Installs Rootkits, Backdoors

by Esmeralda McKenzie
New Undetected Swiss Army Knife Linux Malware Installs Rootkits, Backdoors

New Undetected Swiss Army Knife Linux Malware Installs Rootkits, Backdoors

Undetected Swiss Navy Knife Linux Malware

The Lightning Framework is a brand novel malware that has previously gone undetected and targets Linux programs with its malicious code. Infected devices would per chance even be backdoored the exhaust of SSH the exhaust of this program as well to a pair of forms of rootkits would per chance even be deployed with it.

Lightning Framework is described as a ‘Swiss Navy Knife’ by the consultants of Intezer security firm. Thanks to its modularity, as well to its give a rob to for plugins, it has been described as a ‘Swiss Navy Knife.’

As well as, a number of of its system accept as true with no longer yet been came upon or analyzed, so there is quiet a prolonged arrangement to transfer ahead of the consultants can account for this malware in the wild.

Technical Analysis

As well as to being built in a easy blueprint, Lightning Framework is built-in with typosquatting. It’s vital to know that Lightning Framework makes exhaust of a disguised identity to evade detection on installed programs by masquerading as Seahorse GNOME password manager and encryption key manager.

tw6uZJHPdxU84q7oU3tBvsZgVxBAi4FeVRgpvrrGeyhj59W2 zZ5tTn UWrAuoZVe7sdgQJcGJeAeF SjNCjoxtgRVqFK7k5oNss4gxQhuVWC4ByTHGQydJ6jihXIS

Lightning Framework pulls its core module and plugins after it retrieves the suggestions from its core module’s configuration file. Here is saved in a configuration file that is undetectable and polymorphic encoded, inclined to talk with the C2 server.

As the major module of the framework, the core module (kkdmflush) is the module that is to blame for receiving commands from the malware’s present and management server and is also to blame for executing the plugins of the malware.

n9j3bdKzXj8dBrtTmTeVbchoXIg8uPr TFZcztT1LkMoJGwVqOorDMv6UbBigCg9CKNg9rvv4E3igtHVluJdlAiCLDHpP

By the exhaust of an SSH server that is began from one in every of the downloaded plugins (Linux.Plugin.Lightning.Sshd), the malware adds its admire SSH-essentially based entirely mostly backdoor.

Plugins Veteran

Here under we accept as true with talked about the complete plugins inclined by the malware:-

  • Linux.Plugin.Lightning.SsHijacker
  • Linux.Plugin.Lightning.Sshd
  • Linux.Plugin.Lightning.Nethogs
  • Linux.Plugin.Lightning.iftop
  • Linux.Plugin.Lightning.iptraf
  • Lightning.Core

Instructions Veteran

Here under we accept as true with talked about the complete commands inclined alongside with their description:-

  • SystemInfo: Fingerprints the machine
  • PureShellCommand: Runs Shell present
  • RunShellPure: Starts the Linux.Plugin.Lightning.Sshd (SSH Daemon) plugin
  • CloseShellPure: Terminates the Linux.Plugin.Lightning.Sshd plugin
  • Disconnect: Exits the Core module
  • GetRemotePathInfo: Collects the abstract of given path
  • KeepAlive: No action, connection stays alive
  • UploadFileHeader: Tests regain entry to of file
  • FileEdit: Will get contents of file and time meta
  • TryPassSSH: Provides a public key to the inspiration/.ssh/authorized_keys file
  • DeleteVecFile: Deletes the specified file or path
  • PreDownloadFile: Calculates a checksum of the file
  • DownloadFile: Sends a file to the C2
  • DeleteGuid: Eliminates the framework
  • UpdateVersion: Calls the Downloader module to update the framework
  • UpdateRemoteVersion: Updates the framework in conjunction with the downloader
  • Socks5: Sets up a Socks5 proxy
  • RestorePlug: The identical as UpdateVersion
  • GetDomainSetting: Fetches the contents of the malleable C2 configuration file (cpc)
  • SetDomainSetting: Updates the contents of the malleable C2 configuration file (cpc)
  • InstallKernelHide: Fetches the OS liberate
  • RemoveKernelHide: Eliminates kernel module
  • UpdateKernelVersion: Eliminates the kernel module and runs uname -r
  • OverrideFile: Overwrites specified file
  • UploadFileContent: Writes knowledge sent from server to file
  • LocalPluginRequest: Either write the LD_PRELOAD rootkit or LKM rootkit

As share of a recent malware strain that has surfaced, Lightning Framework is one in every of essentially the most up-to-date traces to be identified. The usage of this malware variant, it’s imaginable to completely compromise and backdoor a tool.

There would possibly be absolute self perception that the discovery of Lightning Framework clearly illustrates the indisputable truth that Linux malware is being inclined an increasing kind of by threat actors in recent years.

That you can notice us on Linkedin, Twitter, Facebook for on a typical basis Cybersecurity updates.

Source credit : cybersecuritynews.com

Related Posts