The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Denonia Cryptominer Targets AWS Lambda

Apr 18, 2022 2:23:54 PM / by PolySwarm Tech Team

Denonia_Blog

Background

Cado Security recently published an analysis on Denonia cryptominer, the first malware used to target AWS Lambda.

What is Denonia?

Denonia, active since at least early 2022, is a 64-bit ELF executable written in Go. It is a cryptominer containing a customized variant of XMRig miner. Threat actors install cryptominers on victim systems as a form of distributed computing, using the victim’s computing power to mine cryptocurrency. Denonia uses DNS over HTTPS, meaning DNS requests are encrypted as HTTPS traffic. Researchers dubbed the malware Denonia based on the name used in the C2 at denonia[.]xyz.


In our 2021 Year in Review report, we predicted more malware variants targeting Linux systems would emerge, given the Linux server’s dominance in SaaS applications that hold private customer data. Denonia is unique in that it was created to target AWS Lambda, a serverless computing platform available via Amazon Web Services. While Lambda has been around for almost a decade, it only recently saw more widespread adoption. Although Denonia was developed to target Lambda, researchers noted it will also run in a standard Amazon Linux server environment if the required environment variables are manually set.

Cado Security has not determined how Denonia is deployed but assessed the threat actors likely used stolen or leaked credentials to gain access to the environment. AWS stated the threat actors did not directly compromise Lambda using a vulnerability and Denonia does not exploit any weakness in Lambda or other AWS services.

IOCs

PolySwarm has multiple samples of Denonia.

A31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca

739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed

You can use the following CLI command to search for all Denonia samples in our portal:

$ polyswarm link list -f Denonia


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Denonia, Cryptominer, AWS, Lambda

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts