The software framework has become essential to developing almost all complex software these days. The Django Web framework, for instance, bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication shared across an app ecosystem.
Last week, researchers from security firm Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented until now. Lightning Framework is post-exploit malware, meaning it gets installed after an attacker has already gained access to a targeted machine. Once installed, it can provide some of the same efficiencies and speed to Linux compromises that Django provides for web development.
“It is rare to see such an intricate framework developed for targeting Linux systems,” Ryan Robinson, a security researcher at Intezer, wrote in a post. “Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins.”
Intezer
Lightning consists of a downloader named Lightning.Downloader and a core module named Lightning.Core. They connect to a designated command and control server to download software and receive commands, respectively. Users can then run any of at least seven modules that do all kinds of other nefarious things. Capabilities include both passive and active communications with the threat actor, including opening a secure shell on the infected machine and a polymorphic malleable command.
The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and support for connecting to command and control servers that use malleable profiles. Malware frameworks have existed for years, but there aren’t many that provide so much comprehensive support for the hacking of Linux machines.
In an email, Robinson said Intezer found the malware on VirusTotal. He wrote:
The entity that submitted it appears to be related to a Chinese manufacturing organisation that makes small motor appliances. We found this based on other submissions from the same submitter. I fingerprinted the server that we used to identify the company and they were indeed using Centos (which the malware was compiled for). But this still is not solid enough to conclude that they were the targets or infected with the malware. We have not learned anything new since the publication. The ideal thing which we hope to find is one of the encrypted malleable C2 configuration profiles. It would give us network IOCs to perform pivoting off.
Intezer was able to obtain parts of the framework but not everything. From the files the company researchers were able to analyze, they could infer the presence of other modules. The company provided the following overview:
| Name | Name on Disk | Description |
| Lightning.Downloader | kbioset | The persistent module that downloads the core module and its plugins |
| Lightning.Core | kkdmflush | The main module of the Lightning Framework |
| Linux.Plugin.Lightning.SsHijacker | soss | There is a reference to this module but no sample found in the wild yet. |
| Linux.Plugin.Lightning.Sshd | sshod | OpenSSH with hardcoded private and host keys |
| Linux.Plugin.Lightning.Nethogs | nethoogs | There is a reference to this module but no sample found in the wild yet. Presumably the software Nethogs |
| Linux.Plugin.Lightning.iftop | iftoop | There is a reference to this module but no sample found in the wild yet. Presumably the software iftop |
| Linux.Plugin.Lightning.iptraf | iptraof | There is a reference to this module but no sample found in the wild yet. Presumably the software IPTraf |
| Linux.Plugin.RootkieHide | libsystemd.so.2 | There is a reference to this module but no sample found in the wild yet. LD_PRELOAD Rootkit |
| Linux.Plugin.Kernel | elastisearch.ko | There is a reference to this module but no sample found in the wild yet. LKM Rootkit |
So far there are no known instances of the Lightning Framework being actively used in the wild. Then again, given the abundance of available capabilities, state-of-the-art stealth is undoubtedly part of the package.
