Background
Cado Security recently published an analysis on Denonia cryptominer, the first malware used to target AWS Lambda.
What is Denonia?
Denonia, active since at least early 2022, is a 64-bit ELF executable written in Go. It is a cryptominer containing a customized variant of XMRig miner. Threat actors install cryptominers on victim systems as a form of distributed computing, using the victim’s computing power to mine cryptocurrency. Denonia uses DNS over HTTPS, meaning DNS requests are encrypted as HTTPS traffic. Researchers dubbed the malware Denonia based on the name used in the C2 at denonia[.]xyz.
In our 2021 Year in Review report, we predicted more malware variants targeting Linux systems would emerge, given the Linux server’s dominance in SaaS applications that hold private customer data. Denonia is unique in that it was created to target AWS Lambda, a serverless computing platform available via Amazon Web Services. While Lambda has been around for almost a decade, it only recently saw more widespread adoption. Although Denonia was developed to target Lambda, researchers noted it will also run in a standard Amazon Linux server environment if the required environment variables are manually set.
Cado Security has not determined how Denonia is deployed but assessed the threat actors likely used stolen or leaked credentials to gain access to the environment. AWS stated the threat actors did not directly compromise Lambda using a vulnerability and Denonia does not exploit any weakness in Lambda or other AWS services.
IOCs
PolySwarm has multiple samples of Denonia.
A31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca
739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed
You can use the following CLI command to search for all Denonia samples in our portal:
$ polyswarm link list -f Denonia
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports