Security researchers have identified the first cryptomining malware designed particularly for Amazon Web Services (AWS) Lambda cloud systems. AWS Lambda is a serverless computing platform that allows you to run code from hundreds of AWS services and SaaS apps without having to manage servers.
According to Cado Security researchers who discovered it being used in limited cyberattacks, Denonia is a Go-based wrapper meant to deploy a bespoke XMRig cryptominer to mine for Monero coin. In the sample, they discovered a 64-bit ELF executable for x86-64 platforms uploaded to VirusTotal in February. They also uncovered a second sample uploaded a month earlier, in January, suggesting that the attacks had been ongoing for at least a few months.
“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” said the Cado researchers.
Cado Security was unable to determine how the attackers could distribute their malware into infected systems. They believe the hackers exploited stolen or leaked AWS Access and Secret Keys, a method that has previously been used to send bash scripts that download and operate miners. After the miner had been active for a few weeks, this resulted in $45,000 in charges.
While such controlled runtime environments reduce the attack surface, forgotten or stolen credentials can swiftly result in enormous financial losses due to the difficulty of detecting a possible breach. “Under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves,” the researchers added.
Denonia was developed for AWS Lambda, as it checks for Lambda environment variables before execution. Still, Cado Security discovered that it might also operate without problems on some Linux servers (e.g., Amazon Linux boxes).
The malware also uses DNS over HTTPS (DoH) to do DNS lookups through an encrypted HTTPS connection rather than plain text DNS requests. This reduces the chances of being detected, and it also prevents efforts to inspect its malicious traffic, disclosing only links to Cloudflare and Google DoH resolvers.