Threat Research

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda

Securonix

Cado Labs documents the first publicly-known malware designed to run specifically inside an AWS Lambda environment, named Denonia, which uses DNS over HTTPS for its command-and-control lookups and mines Monero via an embedded XMRig variant. This cloud-focused threat demonstrates how attackers leverage Lambda-specific knowledge to exploit ephemeral cloud infrastructure, with limited distribution observed so far. #Denonia #AWSLambda #XMRig #DNSoverHTTPS #gw.denonia.xyz

Keypoints

  • Denonia is identified as the first malware explicitly designed to execute inside AWS Lambda.
  • The sample is written in Go and includes a customised XMRig mining component, running from memory and writing config to /tmp.
  • DNS over HTTPS (DoH) is used for C2 lookups to evade detection and accommodate Lambda/VPC constraints.
  • The malware relies on Lambda-specific environment details (e.g., /tmp writable, HOME=/tmp) but can run on a regular Linux host as well.
  • There are multiple samples and IOCs, including a February 2022 sample and a January 2022 sample, with specific hashes and domains.
  • Possible deployment method includes compromising AWS Access and Secret Keys to manually deploy into compromised Lambda environments.

MITRE Techniques

  • [T1078] Valid Accounts – Compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments. “…compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments…”
  • [T1071.004] DNS – The malware uses DNS over HTTPS to perform domain lookups and conceal C2 communications. “Using DoH is a fairly unusual choice for the Denonia authors, but provides two advantages here: … AWS cannot see the dns lookups for the malicious domain”
  • [T1041] Exfiltration Over C2 Channel – Denonia communicates with the attacker-controlled mining pool to receive mining jobs and status. “Denonia then starts XMRig from memory, and communicates with the attacker controlled Mining pool at 116.203.4[.]0:3333”

Indicators of Compromise

  • [SHA256] 739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed – first Denonia sample observed (February 2022)
  • [SHA256] a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca – second sample referenced (January 2022)
  • [Domains] denonia.xyz, gw.denonia.xyz – domain infrastructure used by Denonia
  • [Domains] ctrl.denonia.xyz, 1.gw.denonia.xyz, www.denonia.xyz, xyz.denonia.xyz, mlcpugw.denonia.xyz – additional domains observed
  • [IP Addresses] 116.203.4.0, 162.55.241.99, 148.251.77.55 – destinations contacted by the malware
  • [File Name] python – the malware is packaged with the filename “python” but is actually written in Go
  • [File] /tmp/.xmrig.json – config written for the XMRig miner in the Lambda /tmp writable area

Read more: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint