According to Matt Muir at Cado the discovery of this strain of malware represents the first such discovery and might just be the beginning. Amazon’s Lambda is an attractive cloud resource as it combines operational flexibility with the potential for enhanced security. Amazon secures the underlying execution environment the customer must secure the functions. This is where the new malware comes in. Dubbed Denonia for the C2 domain it talks to (we thought a more HalfLife focused one would have been more fun), it is the first publicly know malware to be specific to the Lambda environment.

The sample was interesting in that it was named python but was a GoLang binary. Inside of it was a version of XMRig that was customized for the environment and for the group using it. Analysis of the binary was complicated due to the environment and the way that Go works. It has created challenges with both dynamic and static analysis making it harder to identify in operation. Cado indicated that during dynamic analysis the malware halted execution, so they pivoted to static analysis of the code. As Go Uses statically linked binaries the static analysis was more work intensive while stings are stored in a blob and a struct. These contain a pointer to the string inside the blob and an integer that defines the length of the string when it is declared. The combination of these items can make static tools less than effective at determining what is going on.

The Denonia malware, after analysis, is clearly intended for the Lambda environment. It contains references to third-party libraries that are Lambda specific, although it was able to run in a Linux OS with certain environment variables set. Denonia also leverages DNS over HTTPS to make calls back to the C2 server more difficult to identify. By pushing DNS resolution over HTTPS Denonia avoids detection at the AWS level and VPC configurations that restrict DNS resolution. Cado was not able to identify an infection method during their analysis of the code. The suspect that this menthod of infection was via an account or API compromise. To us this means that an IAB (initial Access Broker) could be involved. It also could just be that this particular group wanted to see what they could do in an environment they compromised and also mine some monero in the process.

There is no reason to get overly concerned at this stage as there is no indication this is a widespread malware type. However, it is probably a good time to review the security around any AWS Lambda environments you have while ensuring the tools you use are capable of monitoring and detecting threats like this (look for DNS over HTTPS, dynamically analyze Go etc.). As with any new threat type, there is going to be a ramp up time from the POC/Test phase to full campaigns. This is the time to start looking to fix any gaps in detection capabilities and address them, not after campaigns are identified in the wild.