Researchers at Cado Security have stumbled upon a new malware that targets AWS Lambda environments. Dubbed Denonia, the malware is the first of its kind designed to specifically target AWS Lambda to run crypto-mining software.
Cado Security discovered the Denonia malware during their routine analysis of cloud environments. While its distribution is limited, the existence of such malware is evidence of bad actors’ interest in cryptocurrency, not that it was a secret before.
In February 2021, TeamTNT began targeting Kubernetes clusters through misconfigured kubelets for cryptojacking, i.e., illicitly leveraging victims’ computing resources to mine cryptocurrency such as Bitcoin, Ethereum Monero, etc.
According to cybersecurity researcher Tom Olzak, besides laptops, desktops, and servers, threat actors’ targets for cryptojacking may also include gaming consoles, IoT devices, Android and iOS devices, and environment monitoring devices used in data centers.
However, this is the first time that a crypto-mining malware to target AWS Lambda has emerged, or at the very least, been made public. TeamTNT’s crypto-malware, named Hildegard, was explicitly for Kubernetes clusters. Meanwhile, Trend Micro found that coinminers or cryptocurrency mining malware are the most prevalent in Linux.Â
In its Linux Threat Report for H1 2021, Trend Micro said coinmining on Linux is particularly attractive to cybercriminals because Linux is used on more than a significant chunk of Linux-based cloud environments.
The Linux operating system is used on 100% of the top 500Opens a new window supercomputers, 50.5% of the top 1,000Opens a new window global websites, 96.3% of theOpens a new window top one million web servers, and 90% public cloudOpens a new window workloads. Furthermore, of all Linux distros, AWS Linux is the second-most prevalent and used in 17.58% of all environments, even ahead of Ubuntu’s 15.77%.
Theoretically, the cloud can offer infinite computing capabilities and power. So it is no surprise that threat actors are motivated to target cloud environments for crypto-mining and are now going after AWS Lambda.
AWS Lambda is a serverless service for any computing task, including code maintenance and running, web page processing, API calling, etc. AWS Lambda is a fully managed, scalable service that eliminates the need for clients to take charge of servers, the operating systems, the network layer, and other computer infrastructure.
Matt Muir, a security researcher at Cado Security, notedOpens a new window , “It demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure and indicates potential future, more nefarious attacks.â€
See More: How to Fight Cryptojacking Attacks With Machine Learning
Denonia Malware
Denonia is written in Go and contains a customized variant of the XMRig mining software, one of the most popular crypto miners. Muir pointed out the increasing prevalence of malware written in Google’s Go programming language.
“The language is attractive to malware developers for a number of reasons, including the ease in which it can produce cross-compatible executables and the efficient deployment that statically-linked binaries bring,†he said.
According to Olzak, while static analysis is fast, it is often marred by dependence on understanding known malware signatures, files, and respective structures. Muir reiterated this. He said, “Statically-linked binaries are typically much larger than dynamically-linked equivalents – this makes static analysis slightly more laborious.â€
“Go also handles strings in an unusual way. Strings are not null-terminated, as they are in C-like languages, instead they are stored in a large blob and a struct which includes both a pointer to the string in the blob and an integer defining its length is created upon declaration. This can confuse some static analysis tools,†Muir added.
A similar technique is used by TeamTNT in Hildegard, wherein the malicious payload is encrypted inside a binary to throw off automated static analysis, making it more stealthy.
The dynamic analysis of Denonia revealed that this malware would continue to run even outside the AWS Lambda environment, such as Linux. Muir postulates that this is because the underlying system of AWS Lambda is based on Linux.
Threat actors who developed Denonia also designed it to use DNS over HTTPS (DoH). This reduces the likelihood of being detected since AWS cannot see DNS lookups for the malicious domain.
The Denonia sample discovered by Cado Security is a 64-bit ELF executable targeting the x86-64 architecture. It has the following hash: a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbcaOpens a new window
It is unclear how Denonia can be delivered to compromise target systems. Its small size (17.5 MB) indicates that phishing, remote desktop protocols, and even social engineering on social media can be the way to go.
Presently, most phishing attacks on crypto are launched directly against the asset and not for crypto-mining. 50% of such attacks were launched through social media.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!