New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems


A never-before-seen Linux malware has been dubbed a “Swiss Army Knife” because of its modular architecture and ability to install rootkits.

This previously undiscovered Linux threat, dubbed Lightning Framework by Intezer, is packed with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems.

“The framework has both passive and active capabilities for communication with the threat actor, including opening SSH on an infected machine, and a polymorphic malleable command and control configuration,” Intezer researcher Ryan Robinson said in a new report published today.

Central to the malware are a downloader (“kbioset”) and a core (“kkdmflush”) module, the first of which is designed to retrieve at least seven different plugins from a remote server that are then called by the core component.

In addition, the downloader is also responsible for establishing the persistence of the main module of the framework. “The main function of the downloader module is to fetch the other components and run the core module,” Robinson noted.

The core module, for its part, contacts the command-and-control (C2) server to retrieve the necessary commands needed to run the plugins, while also ensuring its own presence on the compromised hide machine.

Some of the notable commands received from the server allow the malware to fingerprint the machine, run shell commands, upload files to the C2 server, write arbitrary data to a file, and run itself even update and remove the infected host.

It further ensures persistence by creating a initialization script which is run at system startup, allowing the downloader to start automatically.

“The Lightning Framework is an interesting malware because it’s not common to see such a large framework developed to target Linux,” Robinson noted.

The discovery of Lightning Framework makes it the fifth Linux malware strain unearthed in a short three-month period after BPFDoor, Symbiote, Syslogk, and OrBit.