Denonia is a newly discovered type of malware targeting AWS Lambda environments. It was recently exposed by Cado Security, who named it after the domain it communicates with. Once the malware is executed on the victim's host, it launches XMRig cryptominer.
Denonia's delivery and deployment methods aren't known at the moment, but it is designed to infect Lambda instances, as it uses the aws-lambda-go library to enable execution inside Lambda environments, as well as search for Lambda-related environment variables.
Denonia aims to deliver XMRig, an open-source software intended to mine Monero cryptocurrency. Although XMRig can be used legitimately, malicious actors often weaponize it to run undetected on compromised systems and mine cryptocurrency without consent.
One of the mechanisms used by the malware that helps it avoid detection is DNS over HTTPS (DoH). Whereas traditional DNS queries are unencrypted and can thus be monitored for the presence of malware communication, DoH encrypts all DNS queries and communicates with DNS servers via HTTPS.