A first-of-its-kind malware targeting Amazon Web Services’ (AWS)
Lambda serverless computing platform has been discovered in the
wild.
Dubbed “Denonia” after the name of the domain it communicates
with, “the malware uses newer address resolution techniques for
command and control traffic to evade typical detection measures and
virtual network access controls,” Cado Labs researcher Matt Muir
said[1].
The artifact[2]
analyzed by the cybersecurity company was uploaded to the
VirusTotal database on February 25, 2022, sporting the name
“python” and packaged as a 64-bit ELF[3]
executable.
However, the filename is a misnomer, as Denonia is programmed in
Go and harbors a customized variant of the XMRig cryptocurrency
mining software. That said, the mode of initial access is unknown,
although it’s suspected it may have involved the compromise of AWS
Access and Secret Keys.
Another notable feature of the malware is its use of DNS over
HTTPS (DoH[4]) for communicating with
its command-and-control server (“gw.denonia[.]xyz”) by concealing
the traffic within encrypted DNS queries.
However, “python” isn’t the only sample of Denonia unearthed so
far, what with Cado Labs finding a second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus[5]“) that was uploaded to
VirusTotal on January 3, 2022.
“Although this first sample is fairly innocuous in that it only
runs crypto-mining software, it demonstrates how attackers are
using advanced cloud-specific knowledge to exploit complex cloud
infrastructure, and is indicative of potential future, more
nefarious attacks,” Muir said.
References
Read more https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html