Full Report
Denonia is a newly discovered type of malware targeting AWS Lambda environments. It was recently exposed by Cado Security, who named it after the domain it communicates with. Once the malware is executed on the victim's host, it launches XMRig cryptominer.Denonia's delivery an...
Analysis Summary
# Tool/Technique: Denonia/XMRig Campaign
## Overview
Denonia is a newly discovered type of malware specifically designed to target and infect AWS Lambda serverless environments. Its primary purpose is resource hijacking through the deployment of the XMRig cryptominer to illicitly mine Monero cryptocurrency.
## Technical Details
- Type: Malware
- Platform: AWS Lambda (Serverless environments)
- Capabilities: Execution within Lambda environments, environment variable detection, cryptocurrency mining (via XMRig payload), encrypted DNS communication for C2/exfiltration.
- First Seen: April 6, 2022 (Publication Date)
## MITRE ATT&CK Mapping
- T1571 - Non-Standard Port
- T1571.001 - Serverless Execution Environment
- T1071 - Application Layer Protocol
- T1071.004 - DNS Protocol (Used via DoH)
- T1580 - Cloud Infrastructure Abuse
- T1580.004 - Cloud Compute Resource Hijacking
## Functionality
### Core Capabilities
- **Targeted Execution:** Designed specifically for AWS Lambda, utilizing the `aws-lambda-go` library to facilitate execution within the Lambda runtime environment.
- **Cryptojacking:** Launches the open-source XMRig cryptominer to mine Monero cryptocurrency on the compromised infrastructure.
- **Reconnaissance:** Searches for Lambda-related environment variables to confirm its context/location.
### Advanced Features
- **Evasion via DoH:** Leverages DNS over HTTPS (DoH) to encrypt DNS queries, making standard DNS monitoring for command and control or communication traffic significantly harder for defenders.
## Indicators of Compromise
- File Hashes: N/A (Not provided in context)
- File Names: N/A (Not provided in context)
- Registry Keys: N/A (Not applicable to Linux/Serverless environment focus)
- Network Indicators: Communicates with a domain that gave the malware its name (Domain name is not provided in context, must be retrieved from external source/search). *Defanged Placeholder: denonia-c2-domain[.]tld*
- Behavioral Indicators: Execution logic tailored for the serverless runtime (`aws-lambda-go` dependency), process activity involving XMRig, and outbound HTTPS traffic utilizing DNS protocols (DoH).
## Associated Threat Actors
- Unknown (?)
## Detection Methods
- Signature-based detection: Signatures specific to the Denonia executable or its associated XMRig artifacts.
- Behavioral detection: Monitoring for unusual process execution within Lambda functions, especially attempts to download or execute external binaries (XMRig) or unexpected network connections initiated from the Lambda sandbox.
- YARA rules if available: N/A (Not provided in context)
## Mitigation Strategies
- Prevention measures: Strict enforcement of least privilege permissions for Lambda execution roles. Limit outbound network access where possible (network segmentation/VPC egress control).
- Hardening recommendations: Utilize security tooling capable of inspecting resource utilization (CPU/Memory spikes indicative of mining) within serverless functions. Implement security monitoring hooks that can detect unusual library dependencies or invocation patterns specific to Denonia.
## Related Tools/Techniques
- XMRig (Cryptominer payload)
- DNS over HTTPS (DoH) (Evasion technique)