network data center switch router firewall

Researcher finds cryptomining malware targeting AWS Lambda

Security researchers with Cado Labs said they have found what they believe is the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.

AWS Lambda is a widely-used, serverless computing platform provided by Amazon as a part of Amazon Web Services.

In a report released on Wednesday, Cado Labs researcher Matt Muir said they decided to name the malware “Denonia,” after the name the attackers gave the domain it communicates with.

“The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Muir said.  

“Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks. From the telemetry we have seen, the distribution of Denonia so far has been limited.”

The malware contains a customized variant of the XMRig mining software, a common app used for cryptocurrency mining by both legitimate users and malware gangs.

The malware is written in Go, Google’s programming language. Muir noted that there is an increasing amount of malware being written in Go because it can easily “produce cross-compatible executables” and provides a host of other benefits. 

Muir also noted that his team has not identified how Denonia is deployed yet. 

“It may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as we’ve seen before with more simple Python scripts,” he wrote. 

“Interestingly – this isn’t the only sample of Denonia. Whilst the first sample we looked at dates from the end of February, we also found a second sample that was uploaded to VirusTotal in January 2022.” 

Netenrich principal threat hunter John Bambenek explained that while it has been common for attackers to target automated environments to run cryptomining software – like what happened with Jenkins – this is the first time that he has seen Lambda targeted. 

“It comes as no surprise as many organizations have no real controls on development cloud resources and cryptomining is low-hanging fruit for hackers to monetize lax DevOps security,” he told The Record. 

Casey Bisson, head of product growth at code security firm BluBracket, said Lambda instances are “plentiful and often poorly monitored,” making them ripe for attack and potentially difficult to secure. 

Bisson compared it to the poorly secured IoT devices that made the Mirai botnet possible, which used hundreds of thousands of infected devices to launch distributed denial-of-service attacks starting in 2016.

“Cloud credential theft is common, supporting the report’s hypothesis about the attack vector,” Bisson said. “A secret in code is a secret shared.”

UPDATE (April 8, 2022 at 10:45am):

In response to the article, an AWS spokesperson said Lambda is "secure by default" and that AWS "continues to operate as designed."

“Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services,” the spokesperson said.

“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service. Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself. What’s more, the researchers even admit that this software does not access Lambda--and that when run outside of Lambda in a standard Linux server environment, the software performed similarly."

Cado Labs declined to comment on the response from AWS.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.