A first-of-its-kind malware that is specifically designed to execute in an AWS Lambda environment has been discovered by Cado labs. Even serverless environments are no longer safe. While the malware’s distribution is limited, the discovery of such malware is evidence of bad actors’ advanced technical skills and their interest in cryptocurrency.
AWS Lambda is serverless, event-driven compute service that runs code for any application or service without managing a server. It runs the code in response to events and can be triggered from over 200 AWS services and SaaS applications.
A serverless environment doesn’t mean there isn’t any server lying behind, but the user doesn’t have to manually manage the virtual machine or infrastructure behind it. AWS Lambda automatically manages the underlying computing resources, unlike AWS EC2 (Elastic Compute Cloud).
It is the cloud provider who manages and secures the underlying server, operating system, etc. reducing the attack surface. Under AWS shared responsibility model, AWS manages and secures the Lambda environment while the users secure the functions. Another feature to be mentioned is its ephemerality. AWS Lambda is short-lived, which means its runtime duration is very short. Security features of AWS lambda allow it to act only when the right resources or services with the right permissions try to invoke it.
But we need to note that nothing could stop DENONIA. Denonia can be a great example that attackers are gaining advanced cloud-specific knowledge to exploit even the complex cloud infrastructure. It is still a mystery exactly how the bad actors were able to deploy Denonia in the AWS Lambda environment. This single malware shows that there might be more attacks to come.
Denonia malware is 64-bit executable targeting x86-64-bit architecture that is written in Go language. It is named after the domain it communicates with (gw.denonia.xyz).
Denonia malware executes a customized version of XMRig in the lambda environment. XMRig is a software that is intended to mine Monero cryptocurrency. The malware uses several 3rd party libraries including the one that enables execution inside the AWS lambda environment. The security researchers were able to execute the malware on AWS Linux boxes used by the Lambda environment.
Denonia communicates with Command and Control (C&C) servers using a GO library that supports DNS over HTTPS (DoH). The DNS queries are encrypted, and the requests go out as regular HTTPS traffic to DoH resolvers like Cloudflare, Google, etc.
This technique provides some benefits which we must note. AWS cannot see the DNS lookups for the malicious Denonia domain, which helps to avoid detection from cloud workload protection tools. Since DNS requests appear as HTTPS traffic, it bypasses VPC level DNS controls.
When DNS resolvers send an IP address back to malware, it simply writes it to XMRig, and the malware then starts XMRig from memory and communicates with the hacker mining pool to get the mining job started.
Even though the malware seems to be causing harm to anybody now, the techniques used behind might open doors to more harmful attacks in the coming days. This single malware proved that even the serverless environments are not fundamentally secure as we thought they were.
The need to build new security tools to deal with malware detection and prevention within the serverless environment is on the rise.
How Denonia gets deployed in the Lambda environment is still unknown. But it is important to take all possible security measures to bring more security to avoid it.