Denonia Malware Detection: Go-Based Wrapper Compromises AWS Lambda to Deploy Monero Miner
- What is Quantum Ransomware? - 04.07.2023
- Squiblydoo Attack Analysis, Detection, and Mitigation - 26.06.2023
- CVE-2022-35405 Detection: CISA Warns of Adversaries Leveraging ManageEngine RCE Flaw - 23.09.2022
Table of contents:
Security researchers report alarming activity associated with a tailor-made malware dubbed Denonia to target Amazon Web Services (AWS) Lambda environments. The malware is written in the Go language. Once in the system, it is used to download, install, and execute the XMRig cryptomining files for Monero cryptocurrency mining.
Detect Denonia Malware
AWS Lambda malware, aka Denonia, uses a specific user-agent to connect to the C2 server. To detect the traces of Denonia cryptominer presence, utilize the following threat detection content released by Osman Demir:
Suspicious AWS Lambda Malware by Detection of User Agent (via proxy)
This Sigma-based detection has translations for 17 SIEM, EDR & XDR platforms.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic with Application Layer Protocol (T1071) as the primary technique.
To detect whether there were attacks on your system by means of a compromised AWS Lambda platform, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime’s platform. Eager to craft your own Sigma rules? Join our Threat Bounty program to share your Sigma and YARA rules via the Threat Detection Marketplace repository and get rewarded for your valuable contribution.
View Detections Join Threat Bounty
What is Denonia?
Denonia is first of its kind malware in a sense that there are no documented strains developed specifically to compromise AWS Lambda cloud environments to deploy cryptominers. Denonia contains a customized variant of the open-source XMRig cryptominer, utilized to hijack the victim’s machine to parasite on its resources and mine digital currency, namely, Monero (XMR).
The original sample dates back to January 2022, indicating that the attacks have been lasting for more than two months now, with two Denonia samples available on darknet markets today.
Denonia Analysis
The Denonia investigation is still ongoing, having yet to reveal how adversaries deploy the malware onto targeted environments (the only thing known is that Lambda was not breached through a vulnerability). Cado Labs’ analysts speculate that hackers may be following a path of compromising AWS Access and Secret Keys for consequent manual malware deployment.
According to the researchers, Denonia is coded in the Go language. Adversaries grow savvy to GoLang-based malware, boosting a stable increase in the number of Go-based malware strains available in darknet markets and spotted in the wild. Cybercriminals favor malicious codes in Go binary for a variety of reasons, including their versatility and stealthiness (Go-based binaries are rather bulky, which makes them able to bypass a number of antivirus programs unnoticed).
It is evident that Denonia was created to target a serverless, event-driven compute service Lambda, as it checks for Lambda environment variables before executing. However, according to the current data, it can also be leveraged to compromise Linux systems, such as Amazon Linux boxes.
Register for SOC Prime’s Detection as Code platform for free and take your threat discovery and threat hunting operations to the whole next level. Instantly hunt for the latest threats within 25+ supported SIEM, EDR, and XDR technologies, boost the awareness of the most recent attacks in the context of exploited vulnerabilities and MITRE ATT&CK matrix, and streamline your security operations.
