Denonia malware targets AWS Lambda

A first of its kind malware dubbed Denonia has been targeting Amazon Web Services (AWS) Lambda, an event-driven, serverless computing platform.

Researchers from Cado Labs discovered the “first publicly-known” Denonia malware, named after the domain used by the attackers it communicated with.

“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Matt Muir of Cado Labs wrote in a blog post.

Muir noted the malware was written in Go and seemed to have contained a customized variant of the XMRig cryptocurrency CPU mining software, as well as other functions.

Some of the third party Go library functions Cado Labs observed as part of the malware analysis include DNS over HTTPS, tools for writing Lambda functions, and general AWS SDK for Golang, to name a few.

Interestingly, DNS over HTTPS (DoH) can be used by attackers to encrypt DNS queries and send out requests as HTTPS traffic to DoH resolvers. As a result, the DNS lookup traffic to malicious domains could potentially stay hidden from normal AWS monitoring that could otherwise trigger an alert of malicious activity.

Moreover, Cado Labs could not confirm the vectors of how it was deployed. However, the researchers surmised it could “be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments.”

Related Articles