Denonia named as first malware to target AWS Lambda platform

Security researchers at Cado Security have discovered the first publicly known malware specifically designed to target Amazon Web Services’ (AWS) Lambda platform.

Cado has named the software ‘Denonia’ after the name the attackers gave to the domain it communicates with. The Go-based software evades detection measures of complex cloud infrastructure to enable the mining of cryptocurrency through a modified version of the open-source crypto mining software XMRig.

Essentially, it uses new newer address resolution techniques for command and control (C2) traffic to avoid detection and evade virtual network access controls.

Although not inherently malicious and has limited distribution, this method of running XMRig could prove indicative of future exploitation methods, Cado said.

“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Cado security researcher Matt Muir explained in a blog post.

Despite its numerous benefits, researchers said that Lambda’s short runtime durations, volume of executions, and the dynamic nature of its functions can make it difficult to detect, investigate and respond to a potential compromise.

Additionally, the AWS Shared Responsibility model means that AWS secures the underlying Lambda execution environment, while customers are responsible for securing the actual functions.

Although Denonia is designed to execute inside of Lambda environments, it is also possible for it to run in other Linux environments too – which makes sense when considering that Lambda serverless environments are underpinned by Linux.

However, it is not yet known how the attackers are deploying the software. Cado researchers suggest they may be compromising AWS Access and Secret Keys before manually deploying into compromised environments – which wouldn’t be the first time.

An AWS spokesperson confirmed that actors did not breach Lambda via a vulnerability.

“Lambda is secure by default, and AWS continues to operate as designed,” they said. “Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments.”

“That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

AWS confirmed: “The software described by the researcher does not exploit any weakness in Lambda or any other AWS service.