Today, the software framework has become essential for developing almost all complex software. For example, the Django web framework bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions, such as logging and authentication, shared across an app ecosystem.
Last week, researchers at security firm Intezer unveiled the Lightning Framework, a modular malware framework for Linux that was hitherto undocumented. Lightning Framework is post-exploit malware, meaning it is installed after an attacker has already gained access to a targeted machine. Once installed, it can provide the same efficiency and speed for Linux compromises that Django offers for web development.
“It’s rare to see such a complex framework developed to target Linux systems,” Ryan Robinson, a security researcher at Intezer, wrote in a post. “Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkits, as well as the ability to run plugins.”
interest
Lightning consists of a downloader called Lightning.Downloader and a core module called Lightning.Core. They connect to a designated command and control server to download software and receive commands, respectively. Users can then run any of at least seven modules that do all sorts of other nefarious things. Capabilities include both passive and active communication with the threat actor, including opening a secure shell on the infected machine and a polymorphic, malleable command.
The framework has both passive and active capabilities for communication with the threat actor, including opening SSH on an infected machine, and support for connecting to command and control servers that use malleable profiles. Malware frameworks have been around for years, but there aren’t many that offer this much comprehensive support for hacking Linux machines.
In an email, Robinson said Intezer had found the malware on VirusTotal. He wrote:
The entity that submitted it appears to be related to a Chinese manufacturing organization that makes small engine aircraft. We found this based on other submissions from the same submitter. I fingerprinted the server we used to identify the company and they were indeed using Centos (for which the malware was compiled). But this is still not solid enough to conclude that they were targeted or infected with the malware. We haven’t learned anything new since its publication. The ideal we hope to find is one of the encrypted, malleable C2 configuration profiles. It would give us network IOCs to run out.
Intezer was able to get parts of the framework, but not everything. From the files that the company researchers were able to analyze, they were able to deduce the presence of other modules. The company provided the following overview:
| Name | Name on disk | Description |
| Lightning.Downloader | kbioset | The permanent module that downloads the core module and its plugins |
| Lightning.Core | kkdmflush | The main module of the Lightning Framework |
| Linux.Plugin.Lightning.SsHijacker | soss | There is a reference to this module, but no monster has been found in the wild yet. |
| Linux.Plugin.Lightning.Sshd | sshod | OpenSSH with hard-coded private and host keys |
| Linux.Plugin.Lightning.Nethogs | nethigh | There is a reference to this module, but no monster has been found in the wild yet. Presumably the software Nethogs |
| Linux.Plugin.Lightning.iftop | iftoop | There is a reference to this module, but no monster has been found in the wild yet. Presumably the software iftop |
| Linux.Plugin.Lightning.iptraf | iptraof | There is a reference to this module, but no monster has been found in the wild yet. Presumably the software IPTraf |
| Linux.Plugin.RootkieHide | libsystemd.so.2 | There is a reference to this module, but no monster has been found in the wild yet. LD_PRELOAD Rootkit |
| Linux.Plugin.Kernel | elastisearch.ko | There is a reference to this module, but no monster has been found in the wild yet. LKM rootkit |
So far, there are no known cases of the Lightning Framework being actively used in the wild. On the other hand, given the plethora of capabilities available, state-of-the-art stealth is undoubtedly part of the package.
