New Malware Leveraged Cryptominers to Target AWS Lambda
To Avoid Detection, It Employs Modern Address Resolution Algorithms for C&C Communications.
A cryptomining malware designed particularly to target Amazon Web Services (AWS) Lambda cloud systems has been recently identified by security experts.
Denonia is the name attributed by security researchers from Cado Security to the identified malware, which is a Go-based wrapper built for XMRig cryptominer deployment purposes in order to mine for Monero cryptocurrency. According to researchers, it has been employed in a few cyberattacks.
The experts also discovered a 64-bit ELF executable for x86-64 platforms that was uploaded to VirusTotal in February. They also identified a second sample that had been uploaded a month before, in January, indicating that the attacks had been ongoing for at least a few months.
We found the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment. We named this malware Denonia, after the name the attackers gave the domain it communicates with. The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls. Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks.
What Is AWS Lambda?
Lambda is a serverless computing platform that allows you to build and run applications without provisioning or managing servers. AWS Lambda lets you upload your code for execution in response to events such as the arrival of an HTTP request, the availability of new data in an Amazon S3 bucket, or the completion of a set of tasks.
How Is Denonia Malware Being Deployed?
Cado Security could not determine how the threat actors were able to deploy their malware into infected systems.
But they believe the hackers utilized stolen or leaked AWS Access and Secret Keys, a method that has previously been used to send bash scripts that normally download and operate miners. After the miner had been active for a few weeks, this resulted in $45,000 in charges.
While such managed runtime environments reduce the attack surface, forgotten or stolen credentials can swiftly result in enormous financial losses due to how hard it is to identify a possible compromise.
Linux Systems Targeted Too?
Denonia was developed for AWS Lambda thing pointed out by the fact that it checks for Lambda environment variables before execution. However, the experts from Cado Security discovered that it may also operate without problems on some Linux servers (e.g., Amazon Linux boxes).
DNS over HTTPS (DoH) is also used by the malware to do DNS lookups through an encrypted HTTPS connection rather than plain text DNS requests.
This reduces the chances of being detected, and it also prevents malicious traffic inspection attempts, disclosing only connections to Cloudflare and Google DoH resolvers.
Using DoH is a fairly unusual choice for the Denonia authors, but provides two advantages here: AWS cannot see the dns lookups for the malicious domain, reducing the likelihood of triggering a detection. Some Lambda environments may be unable to perform DNS lookups, depending on VPC settings.
How Can Heimdal™ Help?
Protect your privileged credentials with a proper Privileged Access Management solution that limits insider threats and keep DNS-based online threats away with an efficient Threat Prevention tool! Find more on our home page!