AWS Lambda Serverless Platform Under Malware Attack
Reading Time: < 1 minute

For the first time, Amazon’s AWS Lambda Serverless Platform is under malware attack discovered in the wild. 

According to Cado Labs researcher Matt Muir has dubbed it as Denonia” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.” 

The cybersecurity company, studying the artifact, uploaded the VirusTotal database on February 25, 2022, sporting the name “python” and packaged it as a 64-bit ELF executable.

Studies discovered the filename is a misnomer since it’s programmed in Go. Additionally, it also harbors a customized variant of the XMRig cryptocurrency mining software. Though the initial mode of access is not known, its involvement in the compromise of AWS Access and Secret Keys cannot be ruled out. 

The malware is also capable of using DNS over HTTPS (DoH) for communicating with its command-and-control server (“gw.denonia[.]xyz”) by concealing the traffic within encrypted DNS queries.

Code Labs second sample (named “bc50541af8fe6239f0faa7c57a44d119.virus“) uploaded to VirusTotal on January 3, 2022, suggests “python” isn’t the only sample of Denonia unearthed so far.

Muir said, “Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks.”

Related Articles:
Apple Releases macOS, iOS, iPadOS patches for ‘exploited’ security bugs
Security Patch Released – Critical Zero-Day Bug in Java Spring Framework
How Hackers can Use Decommissioned Satellite to Broadcast Hacker TV