Lightning malware framework affects Linux machines. Cybersecurity company Intezer analyzed fragments of it.
Security researchers have discovered a new malware framework for Linux and published information about its fragments in an analysis. It’s known as Lightning.
“Lightning is a modular framework that we discovered that brings with it a cornucopia of capabilities,” writes Intezer’s Ryan Robinson in the technical analysis. This includes running plugins and the ability to install rootkits. Lightning can passively and actively communicate with the attacker, open SSH sessions on infected machines and is highly customizable in configuration.
Intezer is a provider of cybersecurity products and services for Tier 1 providers, i.e. the biggest fish on the Internet such as Deutsche Telekom or AT&T. Last year we reported on the Golang worm that Intezer tracked down.
Security researchers release Lightning technical analysis to help other security researchers and stakeholders: “We don’t have all the files referenced in the framework and hope that this release will help others if they have other pieces of the puzzle.” The malware has not yet been observed attacking in the wild.
I have I read the Lightning technical analysis for you and summarize it here.
This is how the Lightning Framework behaves at runtime
Lightning lands on the target computer in the form of a downloader, where it disguises itself as the password and key manager Seahorse. It creates a globally unique identification number and sends it to the controlling server. The downloader then loads plugins and modules.
Some of the Lightning modules are not available in the system that Intezer analyzed. However, since the modules are called up by the downloader, Intezer was at least able to find out their file names via reverse engineering. From this, the discoverers of the malware conclude that the following software could be part of the framework:
- Nethogs, an open source tool that displays Linux internal processes sorted by bandwidth
Lightning’s downloader also loads a core module that accepts commands from the attacker’s control server and lets the plugin modules execute them. The process disguises itself as part of the target computer’s kernel and also runs for commands such as ps and netstat possibly under the radar. The framework opens a backdoor via SSH on the affected system. It can collect information about the operating system and read, delete and send files and their metadata to the attacker. Files can also be overwritten, allowing manipulation of data on the compromised system. The framework sends the data to the attacker in JSON format via TCP.
What do we conclude from this?
All in all, the Malware Framework Lightning for Linux does not seem to be very elaborate, as it uses simple and well-known, but also proven methods and vulnerabilities and presumably freely available software as modules. It could well be the work of one individual. Since Lightning could analyze network connections and routing protocols, it probably aims to analyze company and government networks. Possibly with the intention of spreading further in it. But private computers and small private networks are also vulnerable.
Since Linux has not yet found widespread use among private users, this thesis remains questionable. Conceivable uses of Lightning would be industrial espionage, preparing ransomware attacks or covering tracks after a hack. However, criminal data could also be foisted on those affected in order to blackmail them in the old-fashioned way or to give the police cause to search their homes.
Intezer also announced a blog post in the analysis that should be described , how you can recognize the Lightning Framework on your computers. Hopefully more pieces of the puzzle will come together in the near future. The Tarnkappe keeps you up to date.