Lightning Framework is a new undetected ‘Swiss Army Knife’-like Linux malware that has modular plugins and the ability to install rootkits. The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration.
The framework consists of a downloader and core module, with a number of plugins. Some of the plugins used by the malware are open-source tools. The framework makes heavy use of typosquatting and masquerading in order to remain undetected. Network communication in the Core and Downloader modules are performed over TCP sockets. The data is structured in JSON. The C2 is stored in a polymorphic encoded configuration file that is unique for every single creation. This means that configuration files will not be able to be detected through techniques such as hashes.