Researchers has published a technical analysis of Lightning Framework, an undetected Linux threat.
The Lightning Framework has a modular structure, consisting of a downloader and a core module, with a number of plugins.
A modular architecture can make adding new capabilities, since an update to a plugin should not affect the core or any other plugins. Malware authors because if detection is based on one of the plugins then replacing the plugin that triggered the detection may allow the malware to go under the radar for a bit longer.
The main function of the downloader module is to fetch the other components and execute the core module. The framework makes heavy use of typo-squatting and masquerading in order to remain undetected.
The tasks of the core module is to set up persistence. It does this by creating a script that gets executed upon system boot.
The malware uses a timestomping technique to change the timestamp of the script so that it matches the timestamp of one of a few core Linux files.
The framework uses a rootkit to hide its Process ID and any related network ports. The rootkit can scrub any reference to files running in the framework.
The C2 server is stored in an encoded configuration file that is unique for every single creation where the communication is through TCP sockets
The Linux.Plugin.Lightning.Sshd plugin is an OpenSSH daemon that includes hardcoded private and host keys, allowing the attacker to SSH into the machine with their own SSH key, creating a secondary backdoor.
This research was conducted and documented by researchers from Intezor
Indicators Of Compromise