New Malware Targeting AWS Lambda, Cryptominer, Emerges

For the first time, malware specifically developed using cryptominers and targeting the Amazon Web Services (AWS) Lambda cloud environment has been discovered.

AWS Lambda is a serverless computing platform for executing code for hundreds of AWS services and software as a service (SaaS) apps without having to manage servers.

This new malware, named Denonia by Cado Security after it was discovered being used in a limited attack, is a Go-based wrapper designed to deploy custom XMRig cryptominers to mine the Monero cryptocurrency.

The sample discovered this time is a 64-bit ELF executable targeting x86-64 systems uploaded to VirusTotal in February, with a second sample uploaded a month earlier in January, indicating that these attacks have been going on for at least several months. This suggests that it is taking place.

While this first sample is fairly innocuous in that it is just running crypto-mining software, it shows how attackers can use advanced cloud-specific knowledge to exploit complex cloud infrastructure. It shows how they are being used, and suggests the possibility of more malicious attacks in the future

Likely deployed using stolen keys

Cado Security was unable to determine how the attacker deployed the malware in the compromised environment.

This is the technique previously used to deliver bash scripts designed to download and run miners.

While such a controlled execution environment reduces the attack surface, it also represents that misplaced or stolen credentials can quickly lead to massive financial losses due to the difficulty of detecting potential breaches.

Under the AWS Shared Responsibility model, AWS protects the underlying Lambda execution environment, but it is up to you to protect the functionality itself

Compatible with Linux systems

While Denonia is clearly designed to target AWS Lambda because it checks Lambda environment variables before execution, Cado Security can also run without problems on at least some Linux systems (such as Amazon Linux boxes) We have confirmed this.

The malware also uses DNS over HTTPS (DoH) to perform DNS lookups over encrypted HTTPS connections instead of regular plain text DNS queries.

It also blocks attempts to inspect malicious traffic, revealing only connections to Cloudflare and Google’s DoH resolver.

Translated with (free version)

Leave a Reply

Your email address will not be published.