This new malware targets AWS Lambda environments

Updated: Denonia malware is abusing servers to run cryptocurrency miners.
Written by Charlie Osborne, Contributing Writer

A new malware variant that targets AWS Lambda has been discovered.

On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda.

Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services.

According to Cado Security, this cloud service -- used by SMBs and enterprise players worldwide -- is now at risk of infection by the malware strain.

Not to be confused with Lambda ransomware, in what the cybersecurity researchers believe is the first known public case, a sample of the malware was found that, despite having the file name python, is written in the Go programming language.

During analysis, Denonia logged an error, "[_LAMBDA_SERVER_PORT AWS _LAMBDA_RUNTIME_API] is not defined."

"This piqued our interest as these environment variables are specific to Lambda, giving us some hints about the environment in which this malware is expected to execute," the team said.

The researchers found the sample was a 64-bit ELF executable upon further examination. The malware also relies on third-party GitHub libraries, including those for writing Lambda functions and retrieving data from Lambda invoke requests.

Another interesting facet is the use of DNS over HTTPS (DoH) via the doh-go library, which the team believes could have been implemented to stop AWS from detecting lookups for malicious domains.

Cado Security isn't sure what attack vector could be in play for deploying the malware into Lambda environments. However, the team speculates it could be a matter of using scripts to grab access credentials or secret keys from poorly-secured setups.

Cado's researchers said:

"We discovered during dynamic analysis that the sample will happily continue execution outside a Lambda environment (i.e. on a vanilla Amazon Linux box). 

We suspect this is likely due to Lambda "serverless" environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox."

The malware executes a customized version of XMRig in memory. XMRig is a miner used to mine the Monero cryptocurrency by leveraging a computer's resources. This suggests that the developer's goals could be purely financial, with Denonia potentially providing a means to steal computing resources to generate sellable coins.

"Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks," the researchers say.

A second sample has since been added to VirusTotal.  

Update 8/4: An AWS spokesperson said in a statement:

"Lambda is secure by default, and AWS continues to operate as designed. Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. 

That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards