New malware targets serverless AWS Lambda with cryptominers

Image: Sandro Katalina

Security researchers have discovered the first malware specifically developed to target Amazon Web Services (AWS) Lambda cloud environments with cryptominers.

AWS Lambda is a serverless computing platform for running code from hundreds of AWS services and software as a service (SaaS) apps without managing servers.

The new malware, dubbed Denonia by Cado Security researchers who spotted it being used in limited attacks, is a Go-based wrapper designed to deploy a custom XMRig cryptominer to mine for Monero cryptocurrency.

The sample they found was a 64-bit ELF executable targeting x86-64 systems uploaded to VirusTotal in February. They later discovered a second sample uploaded a month earlier, in January, hinting at these attacks spanning at least a couple of months.

"Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks," the Cado researchers said.

Likely deployed using stolen keys

What Cado Security wasn't able to find was how the attackers were able to deploy their malware onto compromised environments.

However, they suspect that the hackers likely used stolen or leaked AWS Access and Secret Keys, a tactic previously used to deliver bash scripts designed to download and run miners. This led to $45,000 in charges after the miner was active for a few weeks.

This shows that, while such managed runtime environments decrease the attack surface, misplaced or stolen credentials can lead to massive financial losses quickly due to difficult detection of a potential compromise.

"Under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves," the researchers added.

Also at home on Linux systems

While Denonia has been clearly designed to target AWS Lambda since it checks for Lambda environment variables before execution, Cado Security also found that it can run without issues on at least some Linux systems (e.g., Amazon Linux boxes).

"Despite the presence of this, we discovered during dynamic analysis that the sample will happily continue execution outside a Lambda environment (i.e. on a vanilla Amazon Linux box)," the researchers said.

"We suspect this is likely due to Lambda "serverless" environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox."

The malware also uses DNS over HTTPS (DoH) to perform DNS lookups over an encrypted HTTPS connection rather than regular plain text DNS queries.

This helps reduce the probability of triggering detection, and it also blocks attempts to inspect its malicious traffic, instead only revealing connections to Cloudflare and Google DoH resolvers.