CanisterWorm: Wiping Logic & Cloud Worming Mechanics
Just caught the KrebsOnSecurity piece on 'CanisterWorm'. It’s a fascinating shift in TTPs—a financially motivated group using a wormable wiper, likely trying to mask their greed under the guise of geopolitical conflict.
The malware targets systems with an Asia/Tehran time zone or Farsi set as the default language. While the wiper payload is specific, the propagation vector via poorly secured cloud services is a global concern. If your cloud permissions are lax, you could be hosting the worm even if you aren't the target.
The Check The locale check is surprisingly straightforward. It likely queries system settings before detonating. Here is a conceptual Python snippet of what that logic looks like:
import locale
import datetime
# Check for Farsi locale
sys_locale = locale.getdefaultlocale()[0]
if sys_locale.startswith('fa'):
return "WIPE_TARGET"
# Check for Iran Timezone
tz = datetime.datetime.now(datetime.timezone.utc).astimezone().tzname()
if 'Iran' in str(tz) or 'Tehran' in str(tz):
return "WIPE_TARGET"
**Hunting**
We need to watch for processes querying these specific settings. If you aren't in the region, seeing these calls is a massive red flag for a scanning malware instance.
DeviceProcessEvents
| where ProcessCommandLine contains "Get-WinSystemLocale"
or ProcessCommandLine contains "Get-TimeZone"
| where ProcessCommandLine contains "fa" or ProcessCommandLine contains "Tehran"
Has anyone started seeing anomalous API calls in their cloud logs that might indicate lateral movement attempts for this worm? I'm curious if others are seeing the propagation attempts in the wild.
We noticed a spike in failed auth attempts on our exposed S3 buckets right before this news dropped. While we aren't targeted by the wiper, the worming aspect is real.
Make sure you aren't leaving public access open on your storage:
aws s3api get-bucket-policy --bucket YOUR_BUCKET_NAME --query 'Policy' --output text
If `Principal` is set to `*`, you're part of the botnet fodder. Lock it down immediately.
The locale check is interesting but low-tech. It reminds me of the Shamoon days, but wrapped in a wormable container.
For detection on Windows endpoints, you can also look for changes in the registry keys controlling locale, though that's noisy. Better to focus on the execution of the wiper module itself.
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Nls\Language' -Recurse
Regardless, patching cloud hygiene is the only real stop for the spread.
It feels like they are leveraging the chaos of the current geopolitical situation to hide their financial motives. Pure extortionists usually don't use wipers because it destroys their leverage (the data), but if they frame it as 'cyberwar', they don't need to decrypt anything.
We added a simple heuristic to our SIEM: alert on any process trying to enumerate locale info followed immediately by a network connection to unknown IPs.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access