Security researchers with Cado Labs said they have found what they believe is the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.
AWS Lambda is a widely-used, serverless computing platform provided by Amazon as a part of Amazon Web Services.
In a report released on Wednesday, Cado Labs researcher Matt Muir said they decided to name the malware “Denonia,” after the name the attackers gave the domain it communicates with.
“The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Muir said.
“Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks. From the telemetry we have seen, the distribution of Denonia so far has been limited.”
The malware contains a customized variant of the XMRig mining software, a common app used for cryptocurrency mining by both legitimate users and malware gangs.
The malware is written in Go, Google’s programming language. Muir noted that there is an increasing amount of malware being written in Go because it can easily “produce cross-compatible executables” and provides a host of other benefits.
Muir also noted that his team has not identified how Denonia is deployed yet.
“It may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as we’ve seen before with more simple Python scripts,” he wrote.
“Interestingly – this isn’t the only sample of Denonia. Whilst the first sample we looked at dates from the end of February, we also found a second sample that was uploaded to VirusTotal in January 2022.”
Netenrich principal threat hunter John Bambenek explained that while it has been common for attackers to target automated environments to run cryptomining software – like what happened with Jenkins – this is the first time that he has seen Lambda targeted.
“It comes as no surprise as many organizations have no real controls on development cloud resources and cryptomining is low-hanging fruit for hackers to monetize lax DevOps security,” he told The Record.
Casey Bisson, head of product growth at code security firm BluBracket, said Lambda instances are “plentiful and often poorly monitored,” making them ripe for attack and potentially difficult to secure.
Bisson compared it to the poorly secured IoT devices that made the Mirai botnet possible, which used hundreds of thousands of infected devices to launch distributed denial-of-service attacks starting in 2016.
“Cloud credential theft is common, supporting the report’s hypothesis about the attack vector,” Bisson said. “A secret in code is a secret shared.”
The post Researcher finds cryptomining malware targeting AWS Lambda appeared first on The Record by Recorded Future.
Article Link: Researcher finds cryptomining malware targeting AWS Lambda - The Record by Recorded Future