CanisterWorm Deep Dive: Detecting the Persian Timezone Logic

Has anyone else dug into the technical details of the 'CanisterWorm' activity reported by Krebs? It’s a fascinating pivot. We're seeing a financially motivated group effectively repurpose their cloud worm infrastructure to act as a geopolitical wiper.

The targeting mechanism is crude but effective: the malware checks the system locale. If it detects Farsi or the Iran Standard Time timezone, it triggers the payload instead of exfiltration. Based on the existing threads here and IOCs floating around, the propagation vector seems to rely heavily on exploiting unpatched edge devices—specifically looking at the CVE-2026-3055 (NetScaler) vulnerabilities discussed in other threads.

For those hunting this in their environments, specifically if you have global footprints, checking for these locale manipulation API calls is key. Here is a basic KQL query I've drafted to look for suspicious process execution involving kernel32.dll calls related to timezone or locale checks, followed by rapid file deletion events:

DeviceProcessEvents
| where ProcessCommandLine has "GetSystemDefaultLangID" or ProcessCommandLine has "GetTimeZoneInformation"
| join kind=inner (DeviceFileEvents
    | where ActionType == "FileDeleted"
    | project DeviceId, FileName, Timestamp) on DeviceId, Timestamp
| where Timestamp > ago(1d)
| project DeviceId, InitiatingProcessFileName, FileName, Timestamp


(Note: This is a heuristic; you'll need to tune for false positives based on legit admin tools).

The scary part isn't the wiper itself, but the cloud propagation. How are folks validating their NetScaler configs? Are we assuming that if we aren't in the Middle East, we are safe from the worm's propagation, or is the worm just lying dormant on compromised systems outside the target zone?