Lightning Malware Framework for Linux - ThreatWire (Patreon)

By Shannon Morse, ThreatWire

Frameworks are common parts of development for software, because they keep everything clean and organized including but not limited to things like libraries, image files, logging, and authentication. This platform can make it easier for developers to quickly deploy apps and updates for multiple ecosystems. So, they’re common.

An undocumented malware framework for Linux was just discovered and revealed by security firm Intezer last week, after they found it on VirusTotal. The malware was submitted by a Chinese manufacturer using CentOS. This malware framework is called Lightning Framework, and is used as a post exploit malware. It’s installed on an infected machine after the attacker has already gained access and is used to install rootkits and run plugins.

Since frameworks are so common for development, what makes this one unique? According to Intezer, it’s rare to see a framework so intricate meant to target Linux systems. In the case of Lightning, it’s a modular framework with a lot of capabilities. An attacker could use this to make the infected machine communicate with their own server, open a secure shell, and submit commands.

The data compiled so far is a very small part of the framework so they are still analyzing everything that Lightning Framework can do. In their blog post, the researchers mention that they don’t have all of the files mentioned in the framework but hope to obtain the full scope of the framework by publicly sharing the information they’ve gathered so far.

LINKS:

https://arstechnica.com/information-technology/2022/07/newly-found-lightning-framework-offers-a-plethora-of-linux-hacking-capabilities/

https://www.ibm.com/downloads/cas/ADLMYLAZ

https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/