A newly discovered malware, dubbed Denonia after the domain name used by its operators, may be the first case of malware specifically targeted Amazon Web Services (AWS) Lambda environments, according to the researchers at Cado Labs, who first spotted it in the wild.
Cado’s Matt Muir, Chris Doman, Al Carchrie and Paul Scott said that while Denonia may appear relatively innocuous, because it only runs cryptomining software, it uses cutting-edge technigques to evade standard detection methods and virtual network access controls, and demonstrates how malicious actors are using cloud-specific knowledge to exploit complex infrastructures, pointing the way to future, more damaging attacks.
They said Lambda – which is a serverless, event-driven compute service that lets users run code for virtually any kind of app or backend service without having to provision or manage a server – may prove particularly vulnerable to malwares.
“Organisations – both large and small – are increasingly leveraging Lambda serverless functions,” they said in a disclosure notice. “From a business agility perspective, serverless has significant benefits. However, short runtime durations, the sheer volume of executions, and the dynamic and ephemeral nature of Lambda functions can make it difficult to detect, investigate and respond to a potential compromise.”
Denonia is coded in the Go, aka Golang, programming language, and contains a customised variant of the XMRig cryptominer, coupled with some as-yet unknown functions. Go malwares are becoming increasingly favoured by malicious actors, they said, due to various specific functions, and some characteristics of the language that can be challenging for ethical hackers to analyse.
Muir’s team said although their analysis found Denonia was clearly designed to execute specifically within Lambda environments, they had been unable to confirm how it was spread, although they speculated it may be manually deployed via compromised AWS Access and Secret Keys.
They also noted that while Denonia specifically expects to run in Lambda, it is possible for it to run in other Linux environments – this is likely because Lambda serverless environments run Linux under the bonnet, so when the team ran it in its sandbox it still believed it was running in Lambda.
The researchers said the first sample they had found dated from the end of February, but they have since found a second sample uploaded to VirusTotal in January.
In response, Cado has added the ability to investigate and remediate Denonia for both AWS ECS and AWS Lambda environments to its Cado Response platform.
The full disclosure notice, including more in-depth analysis, screenshots, and indicators of compromise (IoCs), can be found at Cado’s website.
Cado’s team confirmed they had made a full disclosure to AWS but that the organisation had not yet responded, beyond to confirm its receipt. Computer Weekly reached out to AWS for comment on the Denonia malware, but the organisation had not responded at the time of publishing.
As noted above, Linux-based cloud services are becoming increasingly susceptible to cyber attack thanks to its widespread use, with a recent VMware study finding concerning evidence that security products and teams were lagging some distance behind malicious actors.
The report, Exposing malware in Linux-based multicloud environments, said current countermeasures are too heavily focused on addressing Windows-based threats, with the effect that many public and private cloud deployments are left vulnerable to attacks that would otherwise be easy to stop.