CanisterWorm: When Financial Motives Meet Geopolitical Wiping
Just caught the latest report from KrebsOnSecurity regarding 'CanisterWorm,' and it’s a concerning development. While we often see state-affiliated wipers in active conflict zones, this appears to be a financially motivated group injecting themselves into the geopolitical situation.
The mechanics are particularly nasty because the targeting is so specific yet simple. The worm propagates via poorly secured cloud services (likely unauthenticated cloud storage or open APIs) but only executes the wiper payload if the system matches specific criteria. Analysis indicates the malware checks for either the 'Iran' Standard Time zone or if Farsi (fa_IR) is set as the system default language.
For those threat hunting, you'll want to look for unusual file deletion activity combined with massive egress traffic or internal cloud scanning. The wiper logic isn't complex; it's brutal. Based on the descriptions, a check might look similar to this pseudo-code logic found in similar variants:
import locale
import time
def check_target():
# Check system locale
sys_locale = locale.getdefaultlocale()[0]
if 'fa' in sys_locale:
return True
# Check Timezone (simplified logic)
if 'Tehran' in time.tzname or 'Iran' in time.tzname:
return True
return False
if check_target():
execute_wiper()
The cloud propagation vector is the real worry here. It underscores the need for strict IAM policies and disabling public access on storage buckets.
Has anyone started seeing IOCs related to cloud service abuse in their environments yet, or is this still largely isolated to that specific region?
We've started hunting for this by correlating excessive 'GetObject' or 'ListBucket' API calls followed by process execution. It’s classic reconnaissance behavior before the worm spreads. If you're on AWS, GuardDuty has updated rules for 'CryptoCurrency:EC2/BitcoinTool.B', which often flags the compute resources used for scanning. I recommend checking your CloudTrail logs for any principals making calls from unexpected IPs.
It's wild that they are using locale checks as a safety switch. From a pentester's perspective, this is actually sloppy OPSEC. If I were writing a worm, I'd want to be sure I wasn't wiping a system that could be ransomed later. The destruction of data removes the leverage. It makes me wonder if the 'financial motivation' is actually a cover or if they are being paid specifically for disruption by a third party.
The targeting logic based on Timezone is tricky to block via GPOs without breaking legitimate users in that region. However, we are pushing a hard block on the specific cloud storage hashes associated with the initial dropper. If your organization uses Farsi locales, ensure your EDR is tuned to look for cmd.exe or powershell.exe spawning from svchost.exe with arguments involving file deletion (e.g., cipher /w or sdelete).
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access