Title: CanisterWorm’s Latest Evolution Targets Kubernetes Clusters in Iran: A Comprehensive Overview
In a significant escalation, CanisterWorm’s newest iteration transforms TeamPCP’s cloud-native toolkit into a sophisticated wiper malware specifically engineered to disable entire Kubernetes clusters configured for systems in Iran. This unprecedented move exemplifies a strategic pivot toward geopolitical cyber warfare, where the malware not only infiltrates but causes widespread destruction.
CanisterWorm has built upon previously established malicious frameworks, repurposing the Internet Computer Protocol (ICP) canister command-and-control (C2) and backdoor architecture that had demonstrated its efficacy in earlier cyber incidents, notably the Trivy and NPM supply-chain attacks. However, this evolution introduces selective destruction mechanisms that rely on geographically-based checks, leveraging timezone and locale data to discern targets.
The campaign’s operations commence from Cloudflare-backed infrastructure, wherein it deploys a bash stager known as kamikaze.sh. This initial stage ensures that the kubectl command-line tool is present on the target environment before it subsequently retrieves a Python controller script titled kube.py. This script embodies the destructive logic of the malware, establishing a connection to the familiar ICP canister at the specified address, while employing the same drop path in /tmp/pglog as documented in the original CanisterWorm outbreak.
This development definitively ties the current activity to TeamPCP’s prior supply-chain breaches, thus confirming the continuity of methods rather than indicating a mere mimicry by another actor. Reporting reveals that the controller script begins by fingerprinting its operational environment. It seeks to establish whether to proceed with espionage or full-scale destruction based on its analysis.
In particular, CanisterWorm detects Kubernetes clusters by examining default service account mounts and identifying the environment variable KUBERNETES_SERVICE_HOST. Geographical classification is performed through reading the /etc/timezone configuration files, querying the timedatectl command output, and scrutinizing the LANG environmental variable for the locale setting fa_IR, denoting Persian language settings typically associated with Iranian systems.
When the script identifies an Iranian Kubernetes cluster, it engages a destructive payload crafted to erase valuable data. It generates a privileged DaemonSet named host-provisioner-iran within the kube-system, employing a container labeled kamikaze. This pod mounts the root filesystem at /mnt/host and executes a sweeping deletion of top-level directories, culminating in a forceful reboot of the affected node. Importantly, due to its design, a single execution of kubectl apply can propagate this destructive DaemonSet throughout the entire cluster within minutes, rendering the operational environment inoperative.
In contrast, Kubernetes clusters situated outside of Iran face a different fate. A secondary DaemonSet called host-provisioner-std prioritizes persistent backdoor installation over immediate destruction. It regularly queries the ICP canister for a binary URL, downloading and executing whatever instructions it receives, thereby maintaining its foothold in non-Iranian Kubernetes setups.
Beyond Kubernetes environments, the malware’s reach extends into other system types, with geography again dictating the extent of its impact. Should it identify as operating on Iranian systems, the poison pill function will attempt to obliterate the filesystem using the command rm -rf / --no-preserve-root, first attempting to execute as root and then through passwordless sudo requests, ultimately relying on whatever permissions the current user holds to effect damage.
Moreover, in a noteworthy deviation, this iteration of CanisterWorm eliminates the need for Kubernetes altogether, opting for a propagation method reminiscent of classic network worms. The newly introduced prop.py stage parses log files to harvest local SSH private keys and then exploits passwordless SSH acceptance to disseminate a base64-encoded payload across local subnets. Concurrently, it scans for accessible Docker APIs on port 2375 to launch its own privileged containers, continuing the pattern of deploying destruction or backdoor capabilities depending on geographic identification.
From a defensive standpoint, cybersecurity personnel are urged to conduct immediate audits of kube-system DaemonSets for unexpected entries. Any containers operating with privileged permissions, particularly host-provisioner-iran or host-provisioner-std, warrant particular scrutiny. Furthermore, systemd services masquerading under names such as internal-monitor or pgmonitor, as well as files under /var/lib/svc_internal/ or /var/lib/pgmon/, should be investigated. Vigilance is also advised for irregular outbound traffic directed to icp0.io and any undocumented Cloudflare tunnel domains responsible for delivering malicious payloads.
Given the enhanced network-propagation capabilities of this latest CanisterWorm variant, organizations must remain alert to anomalous SSH activity arising from compromised machines while ensuring that any exposed Docker APIs on port 2375 are adequately secured to thwart potential exploitation.
As the cyber landscape evolves, it is critical for defenders to adapt continuously and monitor for emerging threats, particularly those demonstrating political motivations that seek to disrupt entire infrastructures.