Researchers have identified the first malware created to target Amazon Web Services (AWS) Lambda cloud environments. The new malware, named Denonia, is deploying cryptominers.

The Denonia malware

Denonia is a Go-based wrapper designed to deploy a custom XMRig crypto miner for Monero mining. The malware was detected in limited attacks.
  • One of the found samples was a 64-bit ELF executable targeting x86-64 systems uploaded to VirusTotal in February. Another sample was uploaded a month earlier, in January.
  • Denonia checks the AWS Lambda environment variables before execution. 
  • The malware runs without any issues on some Linux systems such as Amazon Linux boxes.

Abuse of leaked keys

The attackers are believed to have used stolen or leaked AWS Access and Secret Keys to spread bash scripts to download and run miners. This led to $45,000 in charges after the miner was active for a few weeks.

Other cryptomining campaigns

Besides Denonia, several cryptomining campaigns have grown in recent months and multiple such attacks have been observed lately. 
  • For instance, a security firm observed cryptomining activities on multiple customer deployments as a result of hackers abusing the Log4j vulnerability (CVE-2021-44228).
  • Two weeks back, a threat actor was spotted employing a sophisticated crypto-mining malware, dubbed Verblecon, on systems to steal access tokens for Discord chat app users.
  • Around the same time, Mars Stealer’s cryptomining campaign was found abusing Google Ads ranking techniques to lure Canadian users.

Moreover, the Google Threat Horizon report declared that around 86% of compromised Google Cloud instances were used by cybercriminals to perform cryptocurrency mining.

Conclusion

Cryptocurrency mining now has become very popular among cybercriminals who aim to profit by exploiting cloud environments. The Denonia malware is yet another example of this growing crypto attack. Thus, experts suggest always using reliable anti-malware solutions and keeping software up-to-date for better protection.

Cyware Publisher

Publisher

Cyware