CanisterWorm: Cloud Worming & The Locale-Based Wipe Trigger
Just caught the report on Krebs regarding 'CanisterWorm.' It’s a fascinating, albeit destructive, pivot by a financially motivated group trying to inject themselves into geopolitical conflicts via a wiper.
The mechanics are concerning: it propagates through poorly secured cloud services (likely exposed APIs or storage buckets), but the payload delivery is strictly conditional based on locale checks. It’s targeting systems set to the Iran time zone or using Farsi as the default language.
From a defensive perspective, this creates a weird blind spot. If you aren't in that region, your AV might ignore the binary if it's signature-light, assuming it's 'not for you.' But we should be hunting the propagation and the check logic, not just the wiper.
I’ve whipped up a quick KQL query to hunt for the locale enumeration phase, which is often the precursor to the wipe:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("GetSystemDefaultLocaleName", "GetTimeZoneInformation")
or ProcessCommandLine has "Control Panel\International"
| where InitiatingProcessFileName !in ("explorer.exe", "settings.exe")
| project DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
We should also verify that our cloud ingress points aren't accidentally exposing metadata services to external IPs.
Has anyone else started hunting for the 'worm' component on the cloud perimeter yet? I’m curious if it’s leveraging specific known vulnerabilities or just misconfigurations.
Good call on the locale enumeration. We're seeing similar behavior in our honeypots. The worm seems to be scanning for open HTTP ports on cloud instances before attempting the infection.
If you're using AWS, you can check for suspicious enumeration by looking at VPC Flow Logs for traffic hitting non-standard ports from the same source IPs rapidly:
grep -i "REJECT" /var/log/messages | awk '{print $9}' | sort | uniq -c | sort -nr
The locale check is definitely the unique differentiator here compared to standard ransomware.
The targeting mechanism based on GetSystemDefaultLangID is interesting because it implies the threat actor wants to avoid collateral damage to preserve their 'operational security' or avoid Western law enforcement attention for now.
From a sysadmin perspective, if you have global travelers, ensure their BIOS/UEFI time and OS time zones sync correctly. A mismatched timezone usually won't trigger this specific wiper, but it's good hygiene regardless. We're pushing a GPO to block creation of unsigned binaries in temp folders just in case.
We analyzed a sample today. The 'worm' functionality is actually just a PowerShell script running in memory, which makes it harder to catch if you don't have script block logging enabled.
You can enable it easily:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 -Force
Once enabled, you'll see the locale check clearly in the logs.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access