Cado Security recently published an analysis on Denonia cryptominer, the first malware used to target AWS Lambda.
What is Denonia?
Denonia, active since at least early 2022, is a 64-bit ELF executable written in Go. It is a cryptominer containing a customized variant of XMRig miner. Threat actors install cryptominers on victim systems as a form of distributed computing, using the victim’s computing power to mine cryptocurrency. Denonia uses DNS over HTTPS, meaning DNS requests are encrypted as HTTPS traffic. Researchers dubbed the malware Denonia based on the name used in the C2 at denonia[.]xyz.
In our 2021 Year in Review report, we predicted more malware variants targeting Linux systems would emerge, given the Linux server’s dominance in SaaS applications that hold private customer data. Denonia is unique in that it was created to target AWS Lambda, a serverless computing platform available via Amazon Web Services. While Lambda has been around for almost a decade, it only recently saw more widespread adoption. Although Denonia was developed to target Lambda, researchers noted it will also run in a standard Amazon Linux server environment if the required environment variables are manually set.
Cado Security has not determined how Denonia is deployed but assessed the threat actors likely used stolen or leaked credentials to gain access to the environment. AWS stated the threat actors did not directly compromise Lambda using a vulnerability and Denonia does not exploit any weakness in Lambda or other AWS services.
PolySwarm has multiple samples of Denonia.
You can use the following CLI command to search for all Denonia samples in our portal:
$ polyswarm link list -f Denonia