Application Security

Denonia: First Malware Targeting AWS Lambda

Denonia: First Malware Targeting AWS Lambda
Written by ga_dahmani
Denonia: First Malware Targeting AWS Lambda

Researchers have come across what appears to be the first piece of malware designed to specifically target AWS Lambda environments.

The malware, called Denonia based on the name of a domain with which it communicates, was discovered by researchers at Cado Security, who found samples uploaded to VirusTotal in January and late February. Currently, the samples are detected by about half of the security vendors on VirusTotal.

Denonia was developed on Go and currently appears to be used for mining cryptocurrencies, specifically Monero (XMR), using a custom version of the popular XMRig mining software.

AWS describes Lambda as an “event-driven, serverless computing service that allows you to run code for virtually any type of application or back-end service without provisioning or managing servers.”

Cado noted that AWS protects the underlying Lambda runtime, but it’s up to customers to protect the functions, making it possible for cybercriminals to deploy such malware.

An analysis of Denonia showed that the malware is designed to run in Lambda environments, but it is not yet clear how it is implemented.

“It may simply be a matter of compromising AWS Access and Secret Keys and then manually deploying to compromised Lambda environments, as we’ve seen before with simpler Python scripts,” the Cado researchers explained.

According to the researchers, Denonia uses DNS over HTTPS (DoH) for C&C traffic, which can help it evade detection measures and virtual network access controls.

The researchers noted that while this particular piece of malware does not appear to have been widely distributed and has only limited capabilities, its existence demonstrates that attackers are “using advanced cloud-specific knowledge to exploit complex cloud infrastructure and is indicative of a potential future. , more nefarious attacks”.

Cado has shared indicators of compromise (IoCs), including hashes, C&C domains, and IP addresses.

TO UPDATE: AWS has issued a statement to provide clarification and dispute some of the claims related to Denonia:

“Lambda is secure by default and AWS continues to function as designed. Customers can run a variety of applications on Lambda, and this is indistinguishable from discovering the ability to run similar software in other on-premises or cloud computing environments. That said, AWS has an Acceptable Use Policy (AUP) that prohibits violation of the security, integrity, or availability of any user, network, computer or communications system, software application, network or computing device, and any person that violates our AUP. you will not be allowed to use our services.”

“The software described by the researcher does not exploit any weaknesses in Lambda or any other AWS service. Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of the facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system on its own. What’s more, the researchers even admit that this software does not access Lambda, and that when run outside of Lambda in a standard Linux server environment, the software works in a similar way. It is also important to note that the researchers clearly state on their own blog that Lambda provides enhanced security compared to other computing environments on their own blog: “Under the AWS Shared Responsibility Model, AWS protects the underlying execution environment from Lambda, but relies on the client to secure the functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment.’”

Related: DoH makes it harder to track botnets

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Related: New Modem Wiper Malware May Be Connected to Viasat Hack

watch counter

Eduardo Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before beginning a career in journalism as a security news reporter for Softpedia. Eduard has a degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:

About the author


Leave a Comment