top of page
  • Writer's pictureMichael Paulyn

Using a New Linux Malware Framework, Attackers can Secretly Install Rootkits

A never-before-seen Linux malware virus that can set up rootkits and has a modular approach has received the nickname "Swiss Army Knife."

This newly discovered Linux threat, dubbed as Lightning Framework by Intezer, is one of the most sophisticated frameworks created for targeting Linux systems because it is equipped with a multitude of capabilities.

In a new report by Intezer researcher Ryan Robinson, "the framework offers both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration."

The malware's importer ("kbioset") and core ("kkdmflush") components are its primary components. The downloader intends to acquire at least seven different plugins from a remote server, which the core component contacts.

The downloader is also positioned to ensure the persistence of the core module of the framework. According to Robinson, "the downloader module's primary duty is to retrieve the other components and run the core module."

While disguising its presence within the compromised computer, the core module communicates to the command-and-control (C2) server to collect the necessary commands needed to execute the plugins.

The malware will run shell commands, upload files to the C2 server, write arbitrary data to files, update itself, and even delete itself from the infected host, thanks to some of the notable commands it obtains from the server.

Creating an activation script performed upon boot up further increases persistence by effectively allowing the downloader to be launched automatically.

As Robinson said, "The Lightning Framework is an interesting malware because it is unusual to see such a huge framework designed for targeting Linux."

After BPFDoor, Symbiote, Syslogk, and OrBit, Lightning Framework has already been recognized as the sixth Linux malware strain to be detected within as little as three months.

Hungry for more? Join me each week, where I'll break down complex topics and dissect the latest news within the cybersecurity industry and blockchain ecosystem, simplifying the tech world.

7 views0 comments


bottom of page