How can we help?
A new malware strain, dubbed Denonia, has been seen targeting AWS Lambda cloud environments.
Written in Go, it contains a variant of the XMRig crypto mining software and some other functions.
A Lambda function infected with Denonia would have its resources used to mine cryptocurrency.
There’s no specific vulnerability associated with this malware.
It’s a payload that is deployed after initial access, likely via compromised credentials or a vulnerability in the user’s function.
AWS Lambda functions.
- GuardDuty wouldn’t be well placed to pick up on this.
- The miner doesn’t make AWS calls and DNS is tunnelled to avoid logging.
- Flow logs might be able to detect it.
Indicators of Compromise
Although this is the first time malware specifically written for Lambda functions has been seen, resource-hijacking attacks against Lambda are not new. Usually, these would be based on a bash script.