Desculpe, o conteúdo desta página não está disponível no idioma escolhido.
Início Denonia

Denonia

Category: Malware

Type: Cryptojacking malware

Platform: Linux, AWS Lambda

Damage potential: Hijacks cloud computing resources to mine Monero cryptocurrency, which leads to increased operational costs and potential service disruptions.

Overview

Denonia is a cryptomining and cryptojacking malware discovered in 2022, specifically designed to target Amazon Web Services’ (AWS) Lambda platform. It uses a customized version of the popular XMRig mining software to mine Monero cryptocurrency. Unlike traditional malware, Denonia exploits the serverless nature of AWS Lambda so attackers can hijack cloud resources without the need for direct access to physical servers.

Denonia communicates with its command-and-control server using DNS over HTTPS (DoH), which allows it to bypass traditional network defenses. Though attackers primarily target Lambda, they can also run Denonia on standard Linux systems if they set the appropriate environment variables. Attackers likely gain access to Lambda functions by compromising AWS credentials, and once deployed, Denonia consumes cloud resources to mine cryptocurrency. This increases operational costs and potentially disrupts services.

Possible symptoms

Denonia may degrade cloud system performance and disrupt normal operations. Symptoms of a Denonia infection include:

  • Increased cloud resource usage, particularly in CPU and memory because of cryptocurrency mining activities.
  • Unusual network traffic, such as encrypted DNS queries used to communicate with the command-and-control (C2) server.
  • Presence of unknown or suspicious processes, often running in the background.
  • Unexpected outbound connections to unfamiliar IP addresses or domains, often related to the C2 communication.
  • Difficulty detecting or terminating malicious processes due to the malware’s use of DNS over HTTPS (DoH) for evasion.
  • Unexplained spikes in operational costs or resource utilization in cloud environments, particularly in AWS Lambda.

Sources of the infection

Cybercriminals use various methods to spread Denonia malware:

  • Exploiting stolen credentials. Attackers use compromised AWS Access and Secret Keys to gain unauthorized access to Lambda functions and other cloud resources.
  • Misconfigured cloud environments. Denonia targets misconfigured IAM roles and excessive Lambda permissions, which allow attackers to deploy malware without detection.
  • Leaked cloud credentials. Cybercriminals exploit leaked or exposed AWS credentials that they often find in public repositories or insecure storage locations.
  • Direct deployment via API. Once attackers obtain valid credentials, they can directly deploy Denonia using AWS SDKs, APIs, or command-line tools, bypassing traditional security measures.
  • Automated scripts. Malicious scripts can automate the deployment of Denonia by exploiting cloud misconfigurations or vulnerabilities, facilitating widespread infections.

Protection

To protect against Denonia, it’s essential to secure cloud environments, particularly AWS Lambda and Linux-based systems, by addressing common misconfigurations and vulnerabilities. Effective measures to protect against Denonia include:

  • Using antivirus and anti-malware software. Install and regularly update security solutions that can detect cryptojacking malware, including those designed to recognize threats targeting cloud platforms like AWS Lambda.
  • Regularly updating systems and software. Keep your cloud environment up to date with the latest security patches to close vulnerabilities, such as weak IAM roles or misconfigured cloud credentials.
  • Improving network security. Configure firewalls, intrusion detection systems, and endpoint protection to limit access to sensitive cloud services, and block suspicious outbound traffic to potential C2 servers.
  • Restricting access to cloud credentials. Limit and securely store AWS Access and Secret Keys so that they’re only accessible to authorized personnel or applications. Use encryption and regularly rotate keys.
  • Implementing multi-factor authentication (MFA). Enforce MFA on critical accounts, especially AWS root accounts and other high-level administrative roles.
  • Monitoring system and network activity. Use logging and monitoring tools to detect unusual behavior, such as spikes in CPU or memory usage, unexpected network activity, or unauthorized deployments.
  • Securing cloud IAM roles and permissions. Make sure IAM roles and Lambda functions follow the principle of least privilege.
  • Disabling unused services. Turn off any unnecessary Lambda functions, container services, or cloud resources that are not being actively used to reduce potential attack surfaces.

Removal of Denonia

If you suspect that Denonia has infected your system, the first step is to isolate the affected device or cloud resource from the network to prevent further communication with the C2 server and stop lateral movement. Then, identify and terminate any suspicious processes, particularly those related to cryptocurrency mining or unauthorized cloud activity.

Next, use trusted antivirus or malware removal tools to scan and clean the system, focusing on removing any remnants of the XMRig mining software and other malicious components. Manually inspect the system for any malicious scripts, altered AWS Lambda functions, or unauthorized services that may have been deployed. It’s also important to review and secure all AWS access credentials, IAM roles, and security configurations.

Once you have removed Denonia, go ahead and update all software, operating systems, and cloud configurations, applying patches to close any vulnerabilities exploited by Denonia. Review your access controls, enforce least privilege policies, and enable MFA to improve security. If the infection persists or if you encounter difficulties in fully removing Denonia, contact reliable cybersecurity experts and ask for help.