Denonia malware targets AWS Lambda functions

Overview

A new malware strain, dubbed Denonia, has been seen targeting AWS Lambda cloud environments.
Written in Go, it contains a variant of the XMRig crypto mining software and some other functions.

Impact

A Lambda function infected with Denonia would have its resources used to mine cryptocurrency.

Vulnerability Detection

There’s no specific vulnerability associated with this malware.
It’s a payload that is deployed after initial access, likely via compromised credentials or a vulnerability in the user’s function.

Affected Products

AWS Lambda functions.

Monitoring

• GuardDuty wouldn’t be well placed to pick up on this.
• The miner doesn’t make AWS calls and DNS is tunnelled to avoid logging.
• Flow logs might be able to detect it.

Indicators of Compromise

SHA256

739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed

a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca

Domains

denonia[.]xyz

ctrl.denonia[.]xyz

gw.denonia[.]xyz

1.gw.denonia[.]xyz

www.denonia[.]xyz

xyz.denonia[.]xyz

mlcpugw.denonia[.]xyz

IP addresses

116.203.4[.]0

162.55.241[.]99

148.251.77[.]55

Threat Landscape

Although this is the first time malware specifically written for Lambda functions has been seen, resource-hijacking attacks against Lambda are not new. Usually, these would be based on a bash script.

Mitre Methodologies

T1572 – Protocol Tunnelling
T1496 – Resource Hijacking
T1550.001 – Application Access Token

Further Information

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda