In the wild, a first-of-its-kind malware attacking Amazon Web Services (AWS) Lambda serverless computing technology has been uncovered.
The malware, dubbed "Denonia" after the domain with which it communicates, "uses modern address resolution techniques for command and control traffic to bypass traditional detection measures and virtual network access constraints," according to Cado Labs researcher Matt Muir.
The examined artefact was published to the VirusTotal database on February 25, 2022, with the name "python" and packed as a 64-bit ELF executable.
However, the filename is misleading because Denonia is written in Go and contains a customised version of the XMRig bitcoin mining software. However, the initial way of access is unknown, though it is likely that it required the compromise of AWS Access and Secret Keys.
Another distinguishing aspect of the virus is its use of DNS over HTTPS (DoH) to communicate with its command-and-control server ("gw.denonia[.]xyz") by hiding the traffic within encrypted DNS queries.
Amazon highlighted in a statement shared with The Hacker News that "Lambda is secure by default, and AWS continues to work as designed," adding that customers who violate its acceptable use policy (AUP) will be barred from utilising its services.
While Denonia was clearly built to target AWS Lambda because it checks for Lambda environment variables before execution, Cado Labs discovered that it may also be executed in a conventional Linux server environment.
"The researcher's programme does not exploit any vulnerabilities in Lambda or any other AWS service," the company added. "Because the software is solely based on fraudulently obtained account credentials, even referring to it as malware is a misrepresentation of the truth because it lacks the ability to gain unauthorised access to any system on its own."
However, "python" isn't the only Denonia sample discovered thus far, with Cado Labs discovering a second sample (called "bc50541af8fe6239f0faa7c57a44d119.virus") uploaded to VirusTotal on January 3, 2022.
"Although this first instance is quite harmless in that it merely runs crypto-mining software," Muir said, "it highlights how attackers are employing advanced cloud-specific expertise to exploit complicated cloud architecture, and is indicative of potential future, more sinister operations."
Please do not enter any spam link in the comment box.