A new malware targeting Amazon Web Services (AWS) Lambda serverless computing platform has been detected.
Called “Denonia,” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Cado Labs researcher Matt Muir said.
The cybersecurity analysed the artifact, which was uploaded on the VirusTotal database on February 25, 2022, named “python” and packaged as a 64-bit ELF executable.
But the filename is inaccurate because Denonia uses the Go program and hides a customised variant of XMRig cryptocurrency mining software. However, the initial access method is unknown, although it’s probable that AWS Access and Secret Keys would have been compromised.
The malware also uses DNS over HTTPS (DoH) for interacting with its command-and-control server (“gw.denonia[.]xyz”) by hiding the traffic within the DNS encryption.
Amazon shared a statement in which it pointed out that “Lambda is secure by default, and AWS continues to operate as designed,” and users contravening its acceptable use policy (AUP) will be prohibited from using its services.
Denonia, which has been designed specifically to target AWS Lambda since it scans Lambda environment variables, before its execution, can also operate in a Linux server environment.
“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service,” the company said. “Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”
However, “python” isn’t the only sample of Denonia unearthed so far, what with Cado Labs finding a second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus“) that was uploaded to VirusTotal on January 3, 2022.
“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Muir said.