07.06.2022 15:30

Denonia: A First Crypto-Mining Malware Targeting AWS Lambda

News image


Cado Security researchers discovered a new type of malware that targets AWS Lambda environments. The malware, called Denonia, is the first to target AWS Lambda for crypto-mining software.

Cado Security found the Denonia malware in their routine cloud environment analysis. Although it is not widely distributed, its existence is proof of bad actors’ interest in cryptocurrency.

TeamTNT began targeting Kubernetes clusters in February 2021 with misconfigured Kubelets for cryptojacking. This is i.e., illegally leveraging victims’ computing resources to mine cryptocurrencies like Bitcoin, Ethereum Monero, and others.

Tom Olzak, a cybersecurity researcher, says that in addition to laptops, desktops, and servers, the targets of threat actors for cryptojacking could also include gaming consoles and IoT devices as well as Android and iOS devices and environment monitoring devices used within data centers.

This is not the first time that crypto-mining malware has been discovered to attack AWS Lambda. TeamTNT’s crypto-malware, called Hildegard was specifically designed for Kubernetes clusters. Trend Micro discovered that cryptocurrency miners are the most common in Linux.

Trend Micro’s Linux Threat Report H1 2021 stated that coinmining on Linux was particularly appealing to cybercriminals, as Linux is used in more than a substantial portion of Linux-based cloud environments.

The Linux operating system can be found on 100% supercomputers and 50% global websites. 96.3% top one-million web servers and 90% workloads. AWS Linux is also the most popular Linux distro and is used in 17.58% more environments than Ubuntu’s 15.77%.

The cloud could theoretically offer unlimited computing power and computing capabilities. It is not surprising that threat actors are keen to attack cloud environments for crypto-mining, and they are now targeting AWS Lambda.

AWS Lambda can be used for any computing task including code maintenance, running, web page processing, and API calls. AWS Lambda, which is fully managed and scalable, eliminates the need to have clients take over servers, operating systems, network layers, or other infrastructure.

stated Matt Muir, a security researcher at Cado Security. said that it shows how attackers use advanced cloud-specific information to exploit complex cloud infrastructure and suggests potential future, more dangerous attacks.”

Denonia Malware

Denonia is written using Go and includes a customized version of the XMRig software, which is one of the most widely used crypto miners. Muir noted the growing prevalence of malware written using Google’s Go programming language.

He stated that the language was attractive to malware developers because of its ability to produce cross-compatible executables as well as the efficiency in deployment that statically linked binaries provide.

Olzak says that static analysis can be fast but is often hampered by the need to understand known malware signatures and files. Muir echoed the sentiment. Muir stated, “Statically linked binaries are often larger than dynamically linked equivalents – this makes stat analysis slightly more laborious.”

“Go also handles strings in a unique way. Strings are not null-terminated as in C-like language but are instead stored in large blobs and a structure that includes both a pointer and an integer which define its length. This can cause confusion in static analysis tools,” Muir said.

TeamTNT in Hildegard uses a similar technique. The malicious payload is encoded inside a binary to evade automated static analysis. This makes it even more stealthy.

Denonia’s dynamic analysis revealed that the malware would continue running even if it was not in AWS Lambda, such as Linux. Muir posits that this is due to the fact that AWS Lambda’s underlying system is based upon Linux.

Denonia was also developed by threat actors to be able to use DNS rather than HTTPS (DoH). This decreases the chance of detection since AWS can’t see DNS lookups for malicious domains.

Cado Security discovered the Denonia sample. It is a 64-bit ELF executable that targets the x86 64 architecture. It has the following hash: a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca

It is not clear how Denonia could be used to compromise target systems. The small size of the file (17.5 MB), suggests that remote desktop protocols, phishing, and social engineering via social media are possible options.

Most phishing attacks against crypto are directed directly at the asset, and not for mining. 50% were launched via social media.

Thank you!
Subscribe to our newsletter! Join us on social networks!
See you!