- Jul 27, 2015
The software framework has become essential to developing almost all complex software these days. The Django Web framework, for instance, bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication shared across an app ecosystem.
Last week, researchers from security firm Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented until now. Lightning Framework is post-exploit malware, meaning it gets installed after an attacker has already gained access to a targeted machine. Once installed, it can provide some of the same efficiencies and speed to Linux compromises that Django provides for web development. “It is rare to see such an intricate framework developed for targeting Linux systems,” Ryan Robinson, a security researcher at Intezer, wrote in a post. “Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins.”
Lightning consists of a downloader named Lightning.Downloader and a core module named Lightning.Core. They connect to a designated command and control server to download software and receive commands, respectively. Users can then run any of at least seven modules that do all kinds of other nefarious things. Capabilities include both passive and active communications with the threat actor, including opening a secure shell on the infected machine and a polymorphic malleable command.
The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and support for connecting to command and control servers that use malleable profiles. Malware frameworks have existed for years, but there aren’t many that provide so much comprehensive support for the hacking of Linux machines.
Newly found Lightning Framework offers a plethora of Linux hacking capabilities
This modular malware framework for Linux has gone undocumented until now.