Cloud Worms & Locale-Based Wiping: The CanisterWorm Analysis
Just caught the latest report from KrebsOnSecurity regarding 'CanisterWorm.' It’s a fascinating albeit grim evolution in threat actor behavior. We’re seeing a financially motivated group pivoting to destructive wiper tactics, seemingly attempting to capitalize on the geopolitical tensions involving Iran.
The mechanism of infection—propagating through poorly secured cloud services—is concerning enough, but the targeting logic is particularly aggressive. The worm doesn't just spread; it verifies if the infected host is located in Iran by checking the system time zone or if the default language is Farsi before executing the wiper payload.
From a defensive standpoint, this highlights the need for strict cloud hygiene, but also endpoint detection of locale-enumeration. Most scripts don't need to aggressively poll Get-WinSystemLocale or check TimeZones unless they are managing system settings.
Here are a few detection ideas I’m tossing into our SIEM:
1. PowerShell Locale Check Detection:
Get-WinSystemLocale | Select-Object Name
# Or checking the Timezone ID
Get-TimeZone | Select-Object Id
**2. KQL for Advanced Hunting:**
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine contains "Get-WinSystemLocale"
or ProcessCommandLine contains "Get-TimeZone"
or ProcessCommandLine contains "fa-IR"
| summarize count(), dcount(DeviceName) by FolderPath, ProcessCommandLine
Is anyone else seeing anomalies related to unexpected cloud service enumeration or scripts probing locale settings on non-managed endpoints?
Solid KQL query. We've been implementing similar logic for our Linux fleet too, watching for timedatectl or locale commands being called by non-root users or scripts outside of known config management tools like Ansible.
It’s also worth checking your cloud access logs. If this is worming through "poorly secured cloud services," look for successful authentication attempts from disparate geolocations followed immediately by mass file deletion or overwrite events. The 'spread' vector is likely exposed S3 buckets or unauthenticated APIs.
The pivot to language-based targeting is nasty because it bypasses standard IP-based blocking. If a legitimate employee is traveling or using a VPN, IP blocking fails, but the language check still nails them.
We're pushing a GPO to audit process creation for command-line arguments containing 'fa' or 'Iran'. It's noisy during initial setup, but once you baseline it, it catches a lot of these logic-bomb style malwares.
Also, enforce MFA on every single cloud service. If the worm relies on leaked keys (which seems implied by 'financially motivated'), MFA is the only thing that will save you.
Great points. To complement Nico’s Linux monitoring, we should verify what our Windows endpoints are actually broadcasting. Since the wiper logic relies on locale, a quick audit can reveal if you match the target profile. We’ve been running this simple PowerShell check to validate the system locale and cultural settings across our fleet to ensure no unexpected drift could trigger the payload.
Get-Culture | Select-Object Name, DisplayName
Get-WinSystemLocale | Select-Object Name, DisplayName
While endpoint locale checks are vital, we can't ignore the propagation vector via cloud storage. I'd recommend auditing your S3 buckets for public write access regularly. Here’s a simple boto3 snippet to flag potential worm entry points:
import boto3
s3 = boto3.client('s3')
for bucket in s3.list_buckets()['Buckets']:
acl = s3.get_bucket_acl(Bucket=bucket['Name'])
for grant in acl['Grants']:
if 'AllUsers' in str(grant['Grantee']):
print(f"Public access detected: {bucket['Name']}")
Beyond auditing permissions, we should monitor for behavioral anomalies in cloud audit logs. CanisterWorm’s rapid propagation often generates a high volume of PutObject calls in a short timeframe.
You can set up an alert in CloudWatch Logs Insights for this pattern:
fields @timestamp, sourceIPAddress, eventName | filter eventName like /PutObject/ | stats count(*) by sourceIPAddress
| sort count desc
This helps identify compromised automation accounts before the wiper executes.
To catch the propagation early, consider deploying honeytokens within your cloud storage buckets. These are essentially decoy files that trigger alerts if accessed or modified. Since CanisterWorm actively scans and writes to storage, it will inevitably trip these alarms before hitting production data.
You can quickly seed a bucket with a canary marker using the AWS CLI:
aws s3api put-object --bucket my-bucket --key canary-token.txt --body "Honeytoken" --content-type "text/plain"
Combine this with EventBridge rules to notify you immediately upon GetObject or PutObject events on these specific keys. It’s a low-effort way to gain high-fidelity detection for this specific worm.
Since we’re covering permissions and logs, don’t overlook honeytokens for early warning. Seeding your cloud storage with canary files allows you to detect if the worm attempts to modify or delete these specific decoy objects, catching traversal before widespread damage. Here is a quick snippet to generate a unique filename for use as a decoy:
import uuid
print(f"canary_{uuid.uuid4()}.txt")
Testing susceptibility is just as important as detection. If you want to quickly verify if a specific machine falls within the worm's targeted locales without relying solely on registry checks, this quick Python script can help audit the environment programmatically.
import locale
# Example high-risk locales based on the report
targets = ['fa_IR', 'ar_SA', 'he_IL']
current = locale.getdefaultlocale()[0]
if current in targets:
print(f"[WARNING] Target profile matched: {current}")
else:
print(f"[INFO] Locale check passed: {current}")
This is great for bulk-checking assets during your initial risk assessment phase.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access