Skip to content

Contrast Serverless detects malware in AWS Lambda functions

    
Contrast Serverless detects malware in AWS Lambda functions

Two weeks ago, Cado security released an analysis about Denonia claiming it to be the first, publicly-known case of malware specifically designed to execute in an AWS Lambda environment. Denonia derives its name after the domain that the malicious code used to communicate with. The Golang-based malicious code runs crypto-mining code and, in order to avoid detection and to escape virtual network access controls, it uses address resolution techniques to command and to control traffic. 

Given that Contrast Security helps organizations to secure their Serverless applications, and in particular to identify vulnerabilities in AWS Lambda functions, our research team has investigated further and identified two SHA-256 hash values that associated with this malware:

Screen Shot 2022-04-26 at 4.29.19 PM

Crypto-mining can typically result in an excessive bill for the infected account due to high consumption of resources such as time, memory and execution volumes. Other malware can also extract sensitive data from the function such as source-code or worse, the keys used by the function to interact with other services. This provides the attacker with access not only to the infected function but to many other resources owned by the infected account. 

So, we’ve decided to take this opportunity and not only detect Lambda functions containing Denonia binaries, but we’ve extended this detection to any potential malware residing inside Lambda functions. 

By enabling Contrast Security’s Lambda function malware detection capabilities, organizations can identify not only misconfigurations and code vulnerabilities within their Serverless application during development, but can now identify Lambda functions hit by malware as soon as it happens. No action needed. Once a function is modified and introduced with a malware, Contrast’s solution will automatically detect the change and will scan the function. If a malicious code is detected, a notification will be sent immediately.

In the following video, Paolo Spagli, Sr. Security Researcher in the Cloud Native team, demonstrates a detection of Denonia malware inside a Lambda function. While this scan is made manually, Contrast Serverless solution scans functions automatically and autonomously at the moment they are modified.

 

unnamed-1

Don’t stay idle, waiting for something to go wrong, make sure your Serverless application is secure. Get secure with Contrast Serverless Application Security in just a few clicks.

Tal Melamed, Senior Director, Cloud-Native Security Research, Contrast Security

Tal Melamed, Senior Director, Cloud-Native Security Research, Contrast Security