New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems

News

A never-before-seen Linux malware has been dubbed a “Swiss Army Knife” for its modular architecture and its capability to install rootkits.

This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems.

“The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration,” Intezer researcher Ryan Robinson said in a new report published today.

CyberSecurity

Central to the malware is a downloader (“kbioset”) and a core (“kkdmflush”) module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component.

In addition, the downloader is also responsible for establishing the persistence of the framework’s main module. “The main function of the downloader module is to fetch the other components and execute the core module,” Robinson noted.

The core module, for its part, establishes contact with the command-and-control (C2) server to fetch necessary commands required to execute the plugins, while also taking care to hide its own presence in the compromised machine.

Some of the notable commands received from the server enable the malware to fingerprint the machine, run shell commands, upload files to the C2 server, write arbitrary data to file, and even update and remove itself from the infected host.

It further sets up persistence by creating an initialization script that’s executed upon system boot, effectively allowing the downloader to be automatically launched.

CyberSecurity

“The Lightning Framework is an interesting malware as it is not common to see such a large framework developed for targeting Linux,” Robinson pointed out.

The discovery of Lightning Framework makes it the fifth Linux malware strain to be unearthed in a short period of three months after BPFDoor, Symbiote, Syslogk, and OrBit.

Products You May Like

Articles You May Like

LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe

Leave a Reply

Your email address will not be published. Required fields are marked *