Investigating what attackers are up to is a primary concern for cybersecurity researchers because if we don’t keep an eye on what cybercrooks are cooking up, effective cybersecurity is total fiction. In that context, a new report has revealed that Amazon Web Services (AWS) Lambda serverless computing platform has been targeted by a new kind of malware.
The virus employs modern address resolution methods for command and control communications to dodge normal detection measures and virtual network access constraints, Cado Labs explained. The threat has been code-named “Denonia“, after the name of the site it connects with.
On February 25th, 2022, a 64-bit ELF executable with the name “python” and the package extension “.exe” was posted to the VirusTotal database by the cybersecurity firm.
In addition to the “python” sample, however, Cado Labs has discovered a second sample of Denonia that was submitted to VirusTotal on January 3, 2022, with the name “bc50541af8fe6239f0faa7c57a44d119.virus.”
As per the details that have been revealed, Denonia contains a modified version of XMRig bitcoin mining software, which is developed in Go. The original access method is unclear, however, it is speculated that AWS Access and Secret Keys may have been compromised.
The use of DNS over HTTPS (DoH) is a unique feature of the virus since it encrypts the communication between the malware and its command-and-control server, “gw.denonia[.xyz]”, in this way, concealing the traffic inside encrypted DNS queries.
The details that have been revealed suggest that Denonia is clearly targeted toward AWS Lambda, since it checks for Lambda environment variables before running, however, Cado Labs observed that it can also be run in a conventional Linux server environment.
According to an Amazon statement, Lambda is safe by default, AWS continues to work as planned, and customers who violate the company’s acceptable usage policy (AUP) would be banned from utilizing its services.
Since the software does not exploit any Lambda or other AWS service weaknesses, referring to it as malware is rather inaccurate, as it depends only on stolen account credentials and has no ability to establish unauthorized access to any system on its own, according to what Amazon has stated.
Cloud-based attacks are becoming more sophisticated, and this initial instance shows how attackers are employing advanced cloud-specific expertise in order to target complicated cloud architecture, which is predictive of future, more sophisticated attack operations, according to what has been explained in the published report.
An increase in public awareness of a possible pathway for cyber threat actors has resulted from the research that demonstrates how this malware could be used to attack a serverless computing architecture. Major advancements in security can only be made if individuals deepen their awareness of the incoming threats and work together to address them, according to many security professionals.