Malware authors know when and when it comes to server-oriented malware. Specifically, attackers employ the same techniques used by target organizations. Security researchers recently discovered a cryptocurrency miner designed to run inside AWS Lambda, a so-called serverless computing platform designed to run user-provided application code on demand.
“This first sample is fairly harmless in that it only runs cryptomining software, but it demonstrates how attackers can use their advanced cloud-related knowledge to exploit complex cloud infrastructure and represent a potentially more sinister attack in the future,” Cado said. Security researchers said: He said he found a malware program. in their report.
Denonia Malware
The malware, written in Go, is named Denonia and is delivered as a 64-bit ELF executable for Linux. Cado researchers have yet to get information on how the malware is delivered, but they suspect compromised AWS access credentials and secret keys may be involved.
Malware written in the Go programming language is not new and has become increasingly prevalent in recent years as it offers attackers an easy way to make malware cross-platform and standalone. The downside is that the binary file is much larger because it has to contain all the libraries your program needs instead of dynamically linking to libraries that already exist in the operating system.
It also makes it easy to deploy code on serverless computing platforms designed to support code in multiple programming languages. AWS Lambda natively supports Java, Go, PowerShell, Node.js, C#, Python, and Ruby.
Compared to traditional cloud computing, where users rent virtual machines and manage virtual machines and their operating systems, Lambda and other similar products allow users to worry-free and use a variety of programming languages that run on-demand based on events. You can distribute the written code. It discusses the management of the computing infrastructure behind the scenes, such as servers and operating systems.
Denonia was clearly created with Lambda in mind, as it includes third-party open source Go libraries (aws-sdk-go and aws-lambda-go) that AWS has created themselves to interact with the platform. It also checks certain Lambda environment variables such as LAMBDA_SERVER_PORT and AWS_LAMBDA_RUNTIME_API when running.
“Despite its existence, we discovered that during dynamic analysis the sample would continue to run outside the Lambda environment (eg, a vanilla Amazon Linux box),” said Cado researcher. “We believe this was likely due to the Lambda ‘serverless’ environment using Linux internally, so we believed the malware was running on Lambda even though it was running in a sandbox (after manually setting the required environment variables). .”
Covert communication makes Denonia detection difficult
The malware hides command and control traffic from DNS requests made to domains under the attacker’s control and uses DNS-over-HTTPS (DoH) to hide those requests. Because DoH encrypts the content of DNS requests, the traffic inspection mechanism only sees requests going to HTTPS DNS resolvers like cloudflare-dns.com or dns.google.com, not the actual content of the query. This makes detection more difficult and allows attackers to bypass Lambda preferences that might not allow traditional DNS traffic over port 53.
Malware is basically a wrapper around XMRig, an open source cryptocurrency mining program often adopted by malware authors. This isn’t the first time either. Lambda customers are targeted by XMRig., via simpler scripts than complex malware like Dedonia. The Cado researcher said the malware he analyzed was created in February, but VirusTotal has found older malware that was created in January. So these attacks have been running for months.
A serverless platform like Lambda is a great resource for small organizations that don’t have the staff needed to manage and secure cloud VMs because the burden of server management is shifted to the cloud provider. However, they are still responsible for protecting their credentials and access keys.
“The short execution times, the sheer volume of execution, and the dynamic and ad hoc nature of Lambda functions can make it difficult to detect, investigate, and respond to potential damage,” Cado researchers warn. “In the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment, but it is up to the customer to secure the functionality itself.”
Copyright © 2022 IDG Communications, Inc.