CanisterWorm: The Risk of Locale-Based Wiping for Global Travelers
Has anyone else dug into the technical details of the CanisterWorm campaign targeting Iranian systems? While the 'cloud worm' aspect is getting attention due to the propagation via poorly secured cloud services, I'm more concerned about the rudimentary but effective triggering mechanism.
Based on the latest reports, the malware checks for Asia/Tehran timezones or Farsi language settings before executing the wiper logic. This creates a unique risk for global organizations with traveling employees or multi-region cloud deployments. If a road warrior's device is infected while connected to an insecure network abroad, and they happen to sync their clock or have specific locale packs installed, they could be hit by the 'collateral damage' of a geo-targeted attack.
I’ve been looking at ways to detect this pre-execution check. The malware typically queries the system locale via standard APIs. We can potentially catch this using Sysmon for API monitoring or looking for specific process behaviors.
Here is a basic Sigma rule concept to catch the locale check behavior often seen in these wipers:
detection:
selection:
EventID: 7 # Image loaded
ImageLoaded|endswith: '\kernel32.dll'
OriginalFileName: 'kernel32.dll'
filter:
# suspicious GetLocaleInfo or GetTimeZoneInformation calls
CallTrace|contains:
- 'GetLocaleInfo'
- 'GetTimeZoneInformation'
condition: selection and filter
Has anyone started blocking access to specific cloud metadata services (like the AWS IMDS) as a mitigation? Since the worm spreads through misconfigurations, locking down the metadata endpoint (requiring IMDSv2) seems like the best immediate preventive measure to stop the worm from identifying sibling instances.
How are you guys handling locale-based detection logic in your EDR policies? Is this something you're alerting on, or just relying on AV signatures?
Blocking IMDSv1 is a no-brainer here. We've enforced IMDSv2 (Hop Limit = 1) across our AWS and Azure estates via Terraform. If a worm tries to spread laterally by querying 169.254.169.254 to pull credentials or instance metadata, the hop limit requirement kills it. It's low effort and stops a whole class of cloud-reconnaissance scripts.
If you're on AWS, you can enforce this easily:
# Example: Check IMDSv2 requirement option
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query 'Instances[0].MetadataOptions'
Make sure HttpTokens is set to required.
The locale check is definitely crude, but effective for the threat actor's goal. From a DFIR perspective, what worries me is the 'worm' propagation. If they are exploiting poorly secured services, is there a specific CVE or common misconfig we should be hunting for? The reports are vague on the exact vulnerability vector. I'm assuming it's just exposed RDP or SMB on cloud instances rather than a zero-day, but I'd love to confirm.
We actually saw a similar heuristic with the NotPetya outbreak regarding language packs. Our SOC is currently tuning rules to flag any non-system process querying GetUserDefaultLangID or GetSystemDefaultLangID followed by a high volume of file handle operations.
Be careful with the Sigma rule above though; legitimate apps query locale info all the time. You'll need to whitelist browsers and localization services or your SIEM will light up like a Christmas tree.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access