rule lambda_malware { meta: description = "Detects AWS Lambda Malware" author = "cdoman@cadosecurity.com" reference = "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" license = "Apache License 2.0" date = "2022-04-03" hash1 = "739fe13697bc55870ceb35003c4ee01a335f9c1f6549acb6472c5c3078417eed" hash2 = "a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca" strings: $a = "github.com/likexian/doh-go/provider/" $b = "Mozilla/5.0 (compatible; Ezooms/1.0; help@moz.com)" $c = "username:password pair for mining server" condition: filesize < 30000KB and all of them }