Denonia Malware Detection: Go-Based Wrapper Compromises AWS Lambda to Deploy Monero Miner

Novel Denonia Malware

Security researchers report alarming activity associated with a tailor-made malware dubbed Denonia to target Amazon Web Services (AWS) Lambda environments. The malware is written in the Go language. Once in the system, it is used to download, install, and execute the XMRig cryptomining files for Monero cryptocurrency mining.

Detect Denonia Malware

AWS Lambda malware, aka Denonia, uses a specific user-agent to connect to the C2 server. To detect the traces of Denonia cryptominer presence, utilize the following threat detection content released by Osman Demir:

Suspicious AWS Lambda Malware by Detection of User Agent (via proxy)

This Sigma-based detection has translations for 17 SIEM, EDR & XDR platforms.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control tactic with Application Layer Protocol (T1071) as the primary technique.

To detect whether there were attacks on your system by means of a compromised AWS Lambda platform, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime’s platform. Eager to craft your own Sigma rules? Join our Threat Bounty program to share your Sigma and YARA rules via the Threat Detection Marketplace repository and get rewarded for your valuable contribution.

View Detections Join Threat Bounty

What is Denonia?

Denonia is first of its kind malware in a sense that there are no documented strains developed specifically to compromise AWS Lambda cloud environments to deploy cryptominers. Denonia contains a customized variant of the open-source XMRig cryptominer, utilized to hijack the victim’s machine to parasite on its resources and mine digital currency, namely, Monero (XMR).

The original sample dates back to January 2022, indicating that the attacks have been lasting for more than two months now, with two Denonia samples available on darknet markets today.

Denonia Analysis

The Denonia investigation is still ongoing, having yet to reveal how adversaries deploy the malware onto targeted environments (the only thing known is that Lambda was not breached through a vulnerability). Cado Labs’ analysts speculate that hackers may be following a path of compromising AWS Access and Secret Keys for consequent manual malware deployment.

According to the researchers, Denonia is coded in the Go language. Adversaries grow savvy to GoLang-based malware, boosting a stable increase in the number of Go-based malware strains available in darknet markets and spotted in the wild. Cybercriminals favor malicious codes in Go binary for a variety of reasons, including their versatility and stealthiness (Go-based binaries are rather bulky, which makes them able to bypass a number of antivirus programs unnoticed).

It is evident that Denonia was created to target a serverless, event-driven compute service Lambda, as it checks for Lambda environment variables before executing. However, according to the current data, it can also be leveraged to compromise Linux systems, such as Amazon Linux boxes.

Register for SOC Prime’s Detection as Code platform for free and take your threat discovery and threat hunting operations to the whole next level. Instantly hunt for the latest threats within 25+ supported SIEM, EDR, and XDR technologies, boost the awareness of the most recent attacks in the context of exploited vulnerabilities and MITRE ATT&CK matrix, and streamline your security operations.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts