Discovered the First Malware for AWS Lambda Serverless Platform

 AWS Lambda serverless computing platform has been targeted by a first-of-its-kind piece of malware.

Cado Labs researcher Matt Muir said that "the malware uses newer address resolution techniques for command and control traffic in order to evade typical detection measures and virtual network access controls," he said.

As of February 25, 2022, "python" was the name of an artifact that was uploaded to the VirusTotal database and was packaged as a 64-bit ELF executable.

A misnomer of a filename, Denonia contains a customized version of XMRig cryptocurrency mining software, which is programmed in Go instead. As a result, the initial access method is unknown, but it is speculated that AWS Access and Secret Keys may have been compromised.

DNS over HTTPS (DoH) is another noteworthy feature of the malware, which hides traffic within encrypted DNS queries when communicating with its command-and-control server ("gw.denonia[.]xyz").

When asked by The Hacker News, Amazon stated that Lambda is "safer than ever" by default and that users who violate its acceptable use policy will be barred from using the service.

It was discovered by Cado Labs that Denonia can be used outside of an AWS Lambda environment in a standard Linux server because it checks for Lambda environment variables prior to execution.

Lambda and other AWS services are not vulnerable to the software described by the researcher," the company said. Even calling the software malware is a distortion of the facts because it lacks the ability to gain access to any system without the use of fraudulent credentials."

In fact, "python" isn't the only sample of Denonia that's been found so far, as Cado Labs discovered a second sample on January 3, 2022, which was uploaded to VirusTotal and named "bc50541af8fe6239f0faa7c57a44d119."

Because it only runs crypto-mining software, the first sample is relatively benign, but it shows how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, according to Muir's report.