The latest research from Cado Security reveals the first publicly known malware that is specifically designed to execute in the AWS Lambda serverless environment.
Named Denonia, the malware downloads and runs crypto mining software, and demonstrates how attackers are exploiting newer cloud computing use cases to take advantage of their ephemeral nature to evade detection.
Short runtime duration, the high volume of executions, and the dynamic and ephemeral nature of Lambda functions can make it difficult to detect, investigate and respond to a potential compromise.
Whilst Denonia is clearly designed to execute inside of Lambda environments the researchers haven’t as yet identified how it’s deployed. The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls.
It’s written using the Google Go programming language which makes it easy to produce cross-compatible executables along with the efficient deployment that statically-linked binaries bring. At the same time these characteristics of the language can pose some challenges to malware researchers analysing binaries compiled from Go.
Matt Muir, security researcher at Cado, writes on the company’s blog, “Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks. From the telemetry we have seen, the distribution of Denonia so far has been limited.”
You can find out more in the full analysis of the malware on the Cado blog.
Photo Credit: andriano.cz/Shutterstock