Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware

The main function of the downloader module is to fetch the other components and execute the core module.
The downloader module starts by checking if it is located in the working directory /usr/lib64/seahorses/ under the name kbioset.
The framework makes heavy use of typosquatting and masquerading in order to remain undetected. The reference to seahorses masquerades the password and key manager software seahorse. If not it will relocate itself to that working directory and execute that copy. The downloader will fingerprint the host name and network adapters to generate a GUID, which will be sent to the command and control (C2) server.
The downloader will then contact the C2 to fetch the following modules and plugins:

Linux.Plugin.Lightning.SsHijacker
Linux.Plugin.Lightning.Sshd
Linux.Plugin.Lightning.Nethogs
Linux.Plugin.Lightning.iftop
Linux.Plugin.Lightning.iptraf
Lightning.Core

The method of contacting the C2 will be described below in the malleable C2 section (click here to jump to that section). The downloader will then execute the core module (kkdmflush).

The core module is the main module in this framework, it is able to receive commands from the C2 and execute the plugin modules. The module has many capabilities and uses a number of techniques to hide artifacts to remain running under the radar.

The core module modifies the name of the calling thread of the module to kdmflush, to make it appear that it is a kernel thread.
Next the core module sets up persistence by creating a script that is executed upon system boot. This is achieved by first creating a file located at /etc/rc.d/init.d/elastisearch. The name appears to typosquat elasticsearch. The following contents are written to the file:

#!/bin/bash
# chkconfig:2345 90 20
/usr/lib64/seahorses/kbioset &
This script will execute the downloader module upon boot. The service is then added using the chkconfig utility.
The timestamp of the file is modified to hide artifacts, a technique known as “timestomping”. The file has its last modified time edited to match that of either whoami, find, or su. It will look for each file respectively until it finds one.
This technique is used for most of the files that the framework creates.
The malware will attempt to hide its Process ID (PID) and any related network ports. This is achieved by writing the frameworks running PIDs to two files: hpi and hpo. These files are parsed and then the existence of the file proc/y.y is checked.
If the file exists, it means that a rootkit has been installed. The PIDs are written to proc/y.y for use by the rootkit, which may scrub any reference to files running in the framework from commands such as ps and netstat.

The core module will generate a GUID in the same manner as the downloader and contact the C2. The response is parsed and the command is executed.
Network communication in the Core and Downloader modules are performed over TCP sockets. The data is structured in JSON.
The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file.

The decoded configuration is structured in JSON.
The default configuration in the analyzed sample uses a local IP address 10.2.22[.]67 with the port 33229.
There is a passive mode of communication available if the actor executes the RunShellPure command. This starts an SSH service on the infected machine with the Linux.Plugin.Lightning.Sshd plugin. T
he plugin is an OpenSSH daemon that has hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...

Threats Icon

Jan 19, 2023

Earth Bogle Campaign Targets Entities With Geopolitical...

Middle Eastern geopolitical themed lures were used to distribute njRAT across the Middle East and...

Threats Icon

Jan 18, 2023

The NoName057(16) Hacktivist Group Targets Ukraine Supporters...

The NoName057(16) hacktivist group targeted multiple sectors across Ukraine and neighboring countries with DDoS attacks....

Threats Icon

Jan 17, 2023

Italy Targeted By Information Stealer Malware

An un-named information stealer was targeting end users in Italy through a phishing campaign using...

Threats Icon

Jan 15, 2023

The Australian healthcare industry was targeted by...

The Australian healthcare industry was targeted by the Gootkit loader malware; initial access was gained...

Threats Icon

Jan 11, 2023

Shc Linux Malware Used To Install XMRig...

External facing Linux servers in South Korea were targeted with a Shc (Shell Script Compiler)...

Threats Icon

Jan 11, 2023

Dridex Returns To Target MacOS With Updated...

Threat actors have been seen targeting Mac users with the Dridex malware. Although the malware...