Denonia Malware

A piece of intrusive malware named Denonia is being used in threatening operations targeting Amazon Web Services (AWS) Lambda installations. So far, the goal of the attackers appears to be financially motivated, with Denonia's being the deployment of a custom XMRig version. XMRig is a popular crypto-miner often used by cybercriminals to hijack the hardware resources of the breached device to mine for the Monero cryptocurrency.

After analyzing the threat, researchers discovered that despite having the file name python, Denonia was created using the Go programming language. The malware is dropped as a 64-bit ELF executable and it relies on several third-party GitHub libraries to execute its harmful actions. Some of the needed libraries concern the writing of Lambda functions and extracting data from Lambda invoke requests. Lambda itself is a popular serverless, event-driven computer service offered by Amazon.

The researchers speculate that Denonia's curious use of DNS over HTTPS (DOH) achieved via the doh-go library was implemented as a countermeasure to stop AWS from detecting the threat's lookups due to its unsafe domains. At the moment, no conclusive evidence pointing to the exact infection vector used in the attacks involving Denonia malware has been found.