Specialists from Cado Security have discovered malware specifically designed to work in serverless AWS Lambda environments and cryptocurrency mining. As Cado Security admitted, the team of researchers does not quite understand how the malicious software, called Denonia, is deployed.
“It may just be a matter of compromising AWS access and secret keys, followed by manual deployment in compromised Lambda environments,” the experts suggested.
Although the IB specialists have recorded the work of the malware only on AWS Lambda, it can be made to work in a Linux environment.
The malware code is written in the Google Go programming language, which is popular among malware developers due to the ease of use for creating cross-platform standalone statically linked executable files. Program code can be a monolithic BLOB, making reverse engineering difficult, and strings may not be stored with null terminators in the C style.
Denonia contains a customized version of XMRig for mining the Monero cryptocurrency “along with other unknown functions.” During dynamic analysis, Denonia stopped execution and fixed an error stating that the Lambda AWS environment variable is not defined. Researchers have found a 64-bit ELF executable focused on the x86-64 architecture. The file uses a number of third-party libraries, including one specific to ensure execution in AWS Lambda environments.
The malware includes several third-party Go libraries, including tools for writing Lambda functions, helpers for getting contextual information from a Lambda call request, common AWS software development kits for Go and DNS-over-HTTPS (DoH) in Go. DoH encrypts DNS queries and sends domain name queries as normal HTTPS traffic. This approach does not allow AWS to view DNS queries, reducing the chances of malware being detected.