Get in Touch
Denonia malware targets AWS Lambda functions
Overview
A new malware strain, dubbed Denonia, has been seen targeting AWS Lambda cloud environments.
Written in Go, it contains a variant of the XMRig crypto mining software and some other functions.
Impact
A Lambda function infected with Denonia would have its resources used to mine cryptocurrency.
Vulnerability Detection
There’s no specific vulnerability associated with this malware.
It’s a payload that is deployed after initial access, likely via compromised credentials or a vulnerability in the user’s function.
Affected Products
AWS Lambda functions.
Monitoring
- GuardDuty wouldn’t be well placed to pick up on this.
- The miner doesn’t make AWS calls and DNS is tunnelled to avoid logging.
- Flow logs might be able to detect it.
Indicators of Compromise
SHA256
739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed
a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca
Domains
denonia[.]xyz
ctrl.denonia[.]xyz
gw.denonia[.]xyz
1.gw.denonia[.]xyz
www.denonia[.]xyz
xyz.denonia[.]xyz
mlcpugw.denonia[.]xyz
IP addresses
116.203.4[.]0
162.55.241[.]99
148.251.77[.]55
Threat Landscape
Although this is the first time malware specifically written for Lambda functions has been seen, resource-hijacking attacks against Lambda are not new. Usually, these would be based on a bash script.
Mitre Methodologies
T1572 – Protocol Tunnelling
T1496 – Resource Hijacking
T1550.001 – Application Access Token
Further Information
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda