A new malware, named Denonia, is targetting Amazon Web Services Lambda cloud environments. AWS Lambda is a serverless, event-driven compute device that lets running code for any kind of application from AWS services and SaaS apps. It does its job without the need of managing servers. Denonia is specifically crafted for targetting Lambda for crypto mining.
Monero mining in action
Denonia uses DNS over HTTPS, which makes it difficult to detect
Cado Security researchers have discovered that Denonia is being used in attacks on AWS Lambda cloud environments. It uses a Go-based wrapper and deploys a customized XMRig crypto mining software that mines Monero. They have found that it is a 64-bit ELF executable that targets x86-64 architecture, utilizing some third-party libraries; especially AWS-Lambda-Go for enabling execution in AWS Lambda.
The researchers of Cado Security state that they have not identified how the Denonia malware was deployed in the AWS Lambda environments. They think it might be a simple compromise of AWS Access and secret keys to manually deploy the malware. The malware uses a DNS over HTTPS (DoH) connection to encrypt its DNS queries as well. It enables hiding the malicious domain DNS lookups from AWS systems.
The researchers are going on to investigate the Denonia malware as they have found another sample in February.