Security News > 2022 > April > Cryptocurrency-mining AWS Lambda-specific malware spotted

Cado Security says it has discovered a strain of malware specifically designed to run in AWS Lambda serverless environments and mine cryptocurrency.

While the security firm has only seen the malware running in AWS Lambda, it can be made to run in other Linux-flavored environments, Cado Security CTO and co-founder Chris Doman told The Register this week.

Under Amazon, and other cloud providers', shared-responsibility security model, AWS secures the underlying environment - Lambda, in this case - while the customer is responsible for securing their own data and the Lambda functions themselves.

In Cado's analysis, it appeared Denonia contained a customized variant of the Monero-mining XMRig "Along with other unknown functions." During its dynamic analysis, Denonia stopped executing and logged an error about a Lambda AWS environment variable not being defined.

The infosec team also noted that the malware includes several third-party Go libraries including tools for writing Lambda functions, helpers for retrieving contextual information from a Lambda invoke request, general AWS software development kits for Go, and DNS-over-HTTPS in Go. This use of DNS-over-HTTPS is interesting, Muir noted.

Third-party security analysts were mixed in their reactions to the Lambda malware research.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/07/aws_lambda_malware/