"New 'Lightning Framework' Linux Malware Installs Rootkits, Backdoors"

'Lightning Framework' malware targets Linux systems and can be used to backdoor infected devices via SSH and deploy multiple types of rootkits. Lightning Framework, described as a "Swiss Army Knife" in a report published by Intezer, is a modular malware that also supports plugins. According to Intezer security researcher Ryan Robinson, the framework has both passive and active communication capabilities with the threat actor, including the ability to open SSH on an infected machine, as well as a polymorphic malleable command and control configuration. This malware has not yet been detected in the wild, and some of its components have yet to be discovered and analyzed. Lightning Framework has a simple design as it contains a downloader component that downloads and installs the malware's other modules and plugins, including its core module, on infected Linux devices. To avoid detection on infected systems, the malware employs typosquatting and masquerades as the Seahorse GNOME password and encryption key manager. The malware retrieves its plugins and core module after connecting to its command-and-control (C2) server via TCP sockets using C2 information stored in undetectable polymorphic encoded configuration files. This core module is the main module of the framework, and it is used by the malware to receive commands from its C2 server and to execute its plugins. This article continues to discuss the structure, capabilities, and targets of Lightning Framework malware, as well as the rise in Linux malware. 

Bleeping Computer reports "New 'Lightning Framework' Linux Malware Installs Rootkits, Backdoors"