A first-of-its-kind malware targeting Amazon Web Services’ (AWS) Lambda serverless computing platform has been discovered in the wild.
Dubbed “Denonia” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Cado Labs researcher Matt Muir said.
The artifact analyzed by the cybersecurity company was uploaded to the VirusTotal database on February 25, 2022, sporting the name “python” and packaged as a 64-bit ELF executable.
However, Denonia’s filename may be misleading as it is written in Go. Denonia also contains a modified version of the XMRig cryptocurrency-mining software. Although it is possible that the initial access mechanism was compromised by Secret Keys and AWS Access, it is not known.
Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server (“gw.denonia[.]xyz”) by concealing the traffic within encrypted DNS queries.
However, “python” isn’t the only sample of Denonia unearthed so far, what with Cado Labs finding a second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus“) that was uploaded to VirusTotal on January 3, 2022.
” Although this sample runs only crypto-mining software it shows how attackers use advanced cloud-specific information to exploit complex cloud infrastructure. It is also indicative of future, more dangerous attacks,” Muir stated.
