Residence › Cyberwarfare

Intezer Paperwork Highly effective ‘Lightning Framework’ Linux Malware

By Ionut Arghire on July 22, 2022

Tweet

Safety researchers at Intezer are documenting the invention of a strong piece of Linux malware that may keep undetected and has the flexibility to put in rootkits.

Dubbed Lightning Framework, the menace is described as a Swiss Military Knife-like piece of malware that has a modular design and a plethora of capabilities not often seen in malware concentrating on Linux programs.

The malware structure features a downloader, a core module, and a number of plugins that increase its performance, a few of that are open supply instruments, in response to documentation printed by Intezer.

The framework makes use of completely different modules for persistence, SSH connection (utilizing OpenSSH with hardcoded keys), community visitors evaluation (open supply Nethogs) and remark (iftop), and IP community monitoring (IPTraf). Two rootkit modules are additionally referenced within the framework’s code.

The an infection chain begins with the downloader module executing the core module and dropping further parts.

[ READ: How Linux Became the New Bullseye for Bad Guys ]

The downloader checks if it runs from a selected working listing and relocates itself to it if not, and may fingerprint the host title and community adapters – to generate a GUID that it sends to the command-and-control (C&C) server.

In response to Intezer, the malware makes an attempt to stay undetected through the use of typosquatting and masquerading with referencing seahorses to masquerade the seahorse password and key supervisor.

Lightning’s core module can execute plugins, helps instructions acquired from the C&C server, and achieves persistence by making a script to run the downloader at system boot. It additionally generates a GUID utilizing the identical method because the downloader.

To keep away from detection, the malware adjustments the title of the calling thread to kdmflush – to pose as a kernel thread, modifies the timestamps of the persistency script and of different information to match that of whoami, discover, or su, and hides its Course of ID (PID) and associated community ports.

Primarily based on instructions from the server, the core module can fingerprint the machine, run shell instructions, execute plugins, test entry to a file, confirm and write file contents, delete information or paths, terminate its course of, take away the framework, replace the framework utilizing the downloader, fetch a configuration file, overwrite information, or write one of many two rootkits.

Lightning makes use of TCP sockets for community communication, with the C&C saved in a polymorphic encoded configuration file distinctive for every creation, to keep away from detection. A passive communication mode can be supported, utilizing the OpenSSH daemon with hardcoded keys, which primarily creates a secondary backdoor.

Associated: Avast: New Linux Rootkit and Backdoor Align Completely

Associated: Extremely-Evasive Linux Malware ‘Symbiote’ Infects All Working Processes

Associated: Chinese language Researchers Element Linux Backdoor of NSA-Linked Equation Group

Associated: How Linux Turned the New Bullseye for Unhealthy Guys 

Get the Each day Briefing

• Most Current
• Most Learn

• SonicWall Warns of Essential GMS SQL Injection Vulnerability
• Chrome Flaw Exploited by Israeli Adware Agency Additionally Impacts Edge, Safari
• Intezer Paperwork Highly effective ‘Lightning Framework’ Linux Malware
• New Default Account Lockout Coverage in Home windows 11 Blocks Brute Power Assaults
• Edge Administration and Orchestration Agency Zededa Raises $26 Million
• New Cross-Platform ‘Luna’ Ransomware Solely Supplied to Russian Associates
• Code Execution and Different Vulnerabilities Patched in Drupal
• Microsoft Resumes Rollout of Macro Blocking Function
• Understanding the Evolution of Cybercrime to Predict its Future
• Romanian Operator of Bulletproof Internet hosting Service Extradited to the US

On the lookout for Malware in All of the Unsuitable Locations?

First Step For The Web’s subsequent 25 years: Including Safety to the DNS

Tattle Story: What Your Pc Says About You

Be in a Place to Act Via Cyber Situational Consciousness

Report Exhibits Closely Regulated Industries Letting Social Networking Apps Run Rampant

2010, A Nice Yr To Be a Scammer.

Do not Let DNS be Your Single Level of Failure

Easy methods to Determine Malware in a Blink

Defining and Debating Cyber Warfare

The 5 A’s that Make Cybercrime so Enticing

Easy methods to Defend Towards DDoS Assaults

Safety Budgets Not in Line with Threats

Anycast – Three Causes Why Your DNS Community Ought to Use It

The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Considering Organizations

Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise

Orbit Brain

https://orbitbrain.com/

Orbit Brain is the senior science writer and technology expert. Our aim provides the best information about technology and web development designing SEO graphics designing video animation tutorials and how to use software easy ways
and much more. Like Best Service Latest Technology, Information Technology, Personal Tech Blogs, Technology Blog Topics, Technology Blogs For Students, Futurism Blog.