Back to Intelligence

CanisterWorm: Cloud Worm and Wiper Attack — Detection and Defense Guide

SA
Security Arsenal Team
April 7, 2026
6 min read

CanisterWorm: Cloud Worm and Wiper Attack — Detection and Defense Guide

Introduction

A destructive cyber threat has emerged that blends financial motivation with geopolitical disruption. The threat actor behind "CanisterWorm" has escalated operations from pure data theft to deploying a wiper payload. This worm actively propagates by exploiting poorly secured cloud services—specifically targeting environments with exposed storage buckets or misconfigured API permissions.

Upon infection, the malware performs a critical environmental check: if the system time zone is set to Iran ((UTC+03:30) Tehran) or the system language is Farsi (fa-IR), the worm triggers a data-wiping routine. For defenders, this represents a high-risk scenario where opportunistic cloud misconfigurations can lead to catastrophic data loss. Immediate action is required to audit cloud perimeter security and hunt for the specific behaviors associated with this wiper.

Technical Analysis

Affected Products & Platforms

While the specific CVE exploits are not detailed in the initial intelligence, the attack vector relies on:

  • Cloud Storage Services: Unsecured or publicly writable cloud storage buckets (e.g., AWS S3, Azure Blob) used as propagation vectors.
  • Operating Systems: Windows and Linux systems serving as compute resources within compromised cloud environments.

Attack Mechanism

  1. Propagation (The Worm): The malware scans for vulnerable cloud endpoints. It leverages scripts to enumerate and infect systems with weak authentication or exposed cloud management interfaces.
  2. Targeting Logic: Upon execution, the script inspects the host system's locale and time zone settings.
  3. The Wiper Payload: If the conditions (TimeZone == 'Iran Standard Time') or (Language == 'fa-IR') are met, the malware initiates a destructive sequence. This involves overwriting MBRs, deleting files, or encrypting data with a throwaway key.
  4. Exploitation Status: Active exploitation (In-the-Wild). The wiper component is not theoretical; it is being triggered against specific targets matching the locale profile.

Detection & Response

SIGMA Rules

YAML
---
title: Potential CanisterWorm Locale Check and Wiper Activity
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects suspicious process activity where system locale or timezone is queried immediately followed by destructive file commands. TTP associated with CanisterWorm.
references:
  - https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
author: Security Arsenal
date: 2026/03/27
tags:
  - attack.execution
  - attack.t1059.001
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: windows
detection:
  selection_locale:
    CommandLine|contains:
      - 'Get-TimeZone'
      - 'Get-Culture'
      - 'Get-WinSystemLocale'
      - 'tzutil /g'
  selection_wiper:
    CommandLine|contains:
      - 'Remove-Item'
      - 'Format-Volume'
      - 'cipher /w'
      - 'del /f /s /q'
  filter_timespan:
    # This logic implies proximity in execution, simplified here for detection rule logic
    # In practice, correlation via SIEM is preferred, but this hunts for co-occurrence in short logs
    CommandLine|contains: 'canister' # Placeholder if specific artifact name known, else rely on sequence
  condition: 1 of selection_* and not filter_legit
falsepositives:
  - Legitimate system administration scripts that check time before maintenance
level: high
---
title: Linux Locale Check Followed By Data Destruction
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects potential Linux wiper behavior involving checking timezone/locale (Iran/Farsi) followed by destructive deletion commands.
references:
  - https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
author: Security Arsenal
date: 2026/03/27
tags:
  - attack.execution
  - attack.t1059.004
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: linux
detection:
  selection_check:
    CommandLine|contains:
      - 'timedatectl'
      - 'cat /etc/timezone'
      - 'locale'
      - 'echo $LANG'
  selection_wipe:
    CommandLine|contains:
      - 'rm -rf'
      - 'shred'
      - 'dd if=/dev/zero'
      - ':()>/'
  condition: selection_check and selection_wipe
falsepositives:
  - System administration scripts involving cleanup based on location
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for processes checking locale/timezone followed by destructive commands
// Look for PowerShell scripts checking TimeZone settings
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"(Get-TimeZone|Get-Culture|tzutil)" 
   or ProcessCommandLine matches regex @"(Remove-Item|Format-Volume|del /f /s /q)"
| extend LocaleCheck = iff(ProcessCommandLine matches regex @"(Get-TimeZone|Get-Culture|tzutil)", "Check", "")
| extend WipeAction = iff(ProcessCommandLine matches regex @"(Remove-Item|Format-Volume|del /f /s /q)", "Wipe", "")
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), CommandList=make_list(ProcessCommandLine) by DeviceName, AccountName, FolderPath
| where array_length(CommandList) > 1 
// Flag devices where both Check and Wipe logic appeared in process creation logs
| project DeviceName, AccountName, FirstSeen, LastSeen, CommandList

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious process execution chains indicative of CanisterWorm
-- Targeting systems where locale check happens near destructive commands
SELECT 
  PID,
  Ppid,
  Name,
  CommandLine,
  Exe,
  Username,
  StartTime
FROM pslist()
WHERE 
  CommandLine =~ "Get-TimeZone" OR 
  CommandLine =~ "Get-Culture" OR 
  CommandLine =~ "tzutil" OR
  CommandLine =~ "Remove-Item" OR 
  CommandLine =~ "Format-Volume"
ORDER BY StartTime DESC

Remediation Script (PowerShell)

PowerShell
# CanisterWorm Remediation and Audit Script
# Checks for active suspicious processes and audits cloud security basics

Write-Host "Starting CanisterWorm Audit and Remediation..." -ForegroundColor Cyan

# 1. Hunt for Suspicious Processes (Locale Check + Wiper)
$suspiciousProcs = @(
    "Get-TimeZone", "Get-Culture", "tzutil", "Remove-Item", "Format-Volume", "cipher /w"
)

Write-Host "Checking for active processes matching wiper TTPs..." -ForegroundColor Yellow
Get-Process | Where-Object { 
    try {
        $proc = $_;
        $cmd = (Get-CimInstance Win32_Process -Filter "ProcessId = $($proc.Id)").CommandLine
        $suspiciousProcs | Where-Object { $cmd -match $_ }
    } catch { $false }
} | ForEach-Object {
    Write-Host "ALERT: Found suspicious process: $($_.ProcessName) (ID: $($_.Id))" -ForegroundColor Red
    # Note: Automated killing is risky, review output first
    # Stop-Process -Id $_.Id -Force -WhatIf
}

# 2. Audit for specific environment indicators (Passive Detection)
$currentZone = Get-TimeZone
$currentLang = Get-Culture | Select-Object -ExpandProperty Name

Write-Host "Current Time Zone: $($currentZone.Id)"
Write-Host "Current Locale: $currentLang"

if ($currentZone.Id -like "*Tehran*" -or $currentLang -like "fa*") {
    Write-Host "WARNING: System matches CanisterWorm targeting criteria (Iran/Farsi)." -ForegroundColor Red
    Write-Host "Recommendation: Isolate this host immediately if cloud-exposed." -ForegroundColor Red
}

# 3. Cloud Security Hardening Check (AWS/Azure CLI presence)
Write-Host "Auditing presence of Cloud CLI tools..." -ForegroundColor Yellow
$cloudTools = @("aws", "az", "gcloud")
foreach ($tool in $cloudTools) {
    if (Get-Command $tool -ErrorAction SilentlyContinue) {
        Write-Host "Found: $tool installed. Ensure credentials are rotated and MFA is enforced." -ForegroundColor Yellow
    }
}

Write-Host "Audit Complete." -ForegroundColor Green

Remediation

  1. Immediate Isolation: If a system is confirmed infected or exhibits the TTPs (locale check + wiper commands), disconnect it from the network immediately to prevent lateral movement via the worm component.
  2. Cloud Access Control Audit (Critical): The worm spreads via "poorly secured cloud services." Conduct an immediate audit of:
    • Storage Buckets: Ensure no S3 buckets or Azure Blob containers are publicly writable.
    • API Keys: Rotate all cloud API access keys, especially those associated with compute instances.
    • IAM Policies: Enforce Least Privilege. Compute instances should not have permissions to modify storage or launch other instances unless strictly necessary.
  3. Block External Command & Control (C2): While specific IOCs are still emerging, block any unknown outbound traffic from cloud compute segments to non-business critical IPs.
  4. Backups: Ensure offline, immutable backups are available. This is a wiper, meaning data recovery is the primary restoration path; decryption is not an option.
  5. Vendor Advisory Review: Monitor official advisories from your cloud provider (AWS, Azure, GCP) regarding this specific campaign, as they may release automated remediation tools or detection signatures.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsoccanisterwormcloud-wormwiper-malwaredata-wiper

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
CanisterWorm: Cloud Worm and Wiper Attack — Detection and Defense Guide | Security Arsenal | Security Arsenal