A novel malware, the first of its kind targeting Amazon Web Services’ (AWS) Lambda serverless computing platform, has been detected in the wild.
Named “Denonia” after the communicating domain, this malware employs advanced address resolution techniques for command and control traffic, aiming to elude traditional detection methods and virtual network access controls, as highlighted by Cado Labs researcher Matt Muir.
The analyzed artifact, labeled “python” and presented as a 64-bit ELF executable on the VirusTotal database since February 25, 2022, is a misnomer. Denonia is coded in Go and contains a customized version of the XMRig cryptocurrency mining software. The method of initial access remains unclear, but suspicions arise regarding potential compromise involving AWS Access and Secret Keys.
Denonia exhibits a notable characteristic by utilizing DNS over HTTPS (DoH) to communicate with its command-and-control server (“gw.denonia[.]xyz”), concealing traffic within encrypted DNS queries.
In response to these findings, Amazon emphasized the inherent security of Lambda, stating that it operates as designed by default. Amazon further warned of enforcing its acceptable use policy (AUP) against users violating the policy.
Although Denonia specifically targets AWS Lambda by checking for Lambda environment variables before execution, Cado Labs discovered that it can also operate outside Lambda in a standard Linux server environment.
Amazon clarified that Denonia doesn’t exploit any weaknesses in Lambda or other AWS services. The company asserted that since the malware relies solely on fraudulently obtained account credentials, it is inaccurate to categorize it as malware due to its inability to gain unauthorized access independently.
Despite the current sample’s relatively benign crypto-mining focus, Cado Labs identified a second Denonia sample (“bc50541af8fe6239f0faa7c57a44d119.virus”) uploaded to VirusTotal on January 3, 2022. This discovery underscores the potential for future, more malicious attacks leveraging advanced cloud-specific knowledge to exploit complex cloud infrastructure, as noted by Muir.