[MART] - Daily Diary #486 - Meet Denonia, A Malware That Targets AWS Lambda

CTAS-MAT ctas-mat at appgate.com
Wed Apr 6 22:10:44 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

04/06/2022 - Diary entry #486:

Lambda is an event-driven, serverless cloud computing service provided by Amazon as one of many services of Amazon Web Services (AWS). Lambda runs applications in response to events and automatically manages the required computing resources. Recently, a new malware dubbed Denonia was discovered as the first malware specifically targeting Lambda.

Denonia is a malware written in Go that contains a custom XMRig mining software, very used by crypto miners malware (covered in our Daily Diary #417). Besides that, Denonia was specifically built to execute inside AWS Lambda environments. Its binary contains several third-party Go libraries to handle Lambda's functionalities.

To communicate with its C2 server and receive commands, Denonia sends requests using Google or Cloudflare DNS's URLs using a Go library that provides DNS over HTTPS (DoH). This is a very clever approach since DoH encrypts the DNS queries, avoiding detection and bypassing environments unable to perform DNS lookups.

Cloud computing environments are a trend in the development and (consequently) in the security business. With many applications running over those services, they became a vector for cybercriminals to attack corporate environments. Denonia is currently very simple. However, it can become very dangerous so we expect new versions to appear or to be copycatted by other malware developers.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220406/5b07a3cf/attachment.htm>


More information about the MART mailing list