TeamPCP's CanisterWorm Targets Iranian Systems with Destructive Kubernetes Wiper

Severity: High (Score: 78.0)

Sources: Cybersecuritynews, Bleepingcomputer, Gbhackers, Aikido.Dev

Summary

TeamPCP has launched a new cyber campaign deploying a destructive payload that targets Kubernetes clusters configured for Iran. This wiper malware, part of the ongoing CanisterWorm campaign, uses the same command-and-control infrastructure as previous attacks, specifically the ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io). When the malware detects an Iranian configuration, it deploys a DaemonSet named 'host-provisioner-iran' that wipes the host's filesystem and forces a reboot. For non-Iranian targets, it installs a backdoor instead. The attack is notable for its geopolitical targeting, marking a shift from credential theft to outright destruction. The malware also affects non-Kubernetes systems by attempting to delete user files. This campaign is an evolution of TeamPCP's tactics, indicating a growing threat to cloud-native environments. Current assessments highlight the urgency of addressing this threat due to its destructive capabilities. Key Points: • TeamPCP's new payload wipes Kubernetes clusters configured for Iran. • The malware uses the same C2 infrastructure as previous CanisterWorm attacks. • Destructive actions include deleting host files and rebooting systems.

Key Entities

• TeamPCP (apt_group)
• Malware (attack_type)
• Supply Chain Attack (attack_type)
• CanisterWorm Campaign (campaign)
• Iran (country)
• CanisterWorm (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1059.006 - Python (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1543.003 - Windows Service (mitre_attack)
• Docker (tool)
• Docker API (tool)
• ICP Canister Backdoor (tool)
• Kubectl (tool)
• Internet Computer Protocol (platform)
• Kubernetes (platform)
• Systemd (platform)