Persirai
Malware⚠️ Overview
Persirai is an Internet of Things (IoT) botnet malware first discovered by Trend Micro in April 2017, primarily targeting IP cameras manufactured by multiple vendors including Linksys, Turtle, and others. The malware is attributed to an unknown threat actor group and falls under the botnet category, designed to recruit compromised cameras into a distributed denial-of-service (DDoS) attack network. Unlike the earlier Mirai botnet, Persirai specifically exploits a vulnerability in the GoAhead web server (CVE-2017-8225) used by many IP camera models, allowing remote code execution without authentication.
🔧 Technical Capabilities
Persirai propagates by scanning the internet for IP cameras running on TCP port 81 or 8080 and then attempting to exploit CVE-2017-8225, a command injection vulnerability in the GoAhead web server's CGI handler. Attack vectors include sending a crafted HTTP GET request to the camera's web interface to execute arbitrary shell commands, enabling the malware to gain root access. The command-and-control (C2) infrastructure relies on a hardcoded IP address or domain, with encrypted communications using AES-128-CBC to obfuscate control traffic. Persirai achieves persistence by modifying the camera's firmware startup scripts and disabling security mechanisms. Evasion techniques include checking for sandbox environments by testing network connectivity and killing processes from competing malware families, such as Mirai, to monopolize the infected device.
📜 History & Notable Incidents
First identified in April 2017 by Trend Micro, Persirai emerged shortly after the Mirai source code was publicly released, indicating possible code reuse or inspiration. Notable campaigns included large-scale scans of IP cameras in Asia and Latin America, with Trend Micro reporting over 120,000 vulnerable devices as of May 2017. The malware exploited CVE-2017-8225, a vulnerability discovered earlier that year in the GoAhead web server (versions 2.1.8 through 3.6.5), which was patched by the vendor in February 2017. No high-profile law enforcement actions have been documented against Persirai operators, and the botnet largely declined after camera firmware updates were issued.
🔍 Detection Indicators
Known file hashes for Persirai samples include SHA256 values reported by Trend Micro (e.g., 0c92e5b5f0a1b1d5c9c2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 — example from public reports). Behavioral signatures include sustained outbound TCP connections on port 443 or custom high-numbered ports to C2 IPs, and a User-Agent string pattern of "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" (spoofed for HTTP scanning). Network IOCs include scans of IP ranges for port 81/8080 and the specific HTTP request path "/cgi-bin/ConfigChk" exploited via CVE-2017-8225.
☠️ Risk & Impact
Persirai primarily causes damage through initiating DDoS attacks, leveraging compromised cameras to flood targets with traffic, typically from the consumer IoT sector. Affected industries include service providers, online gaming, and content delivery networks. Financial losses are indirect, stemming from service downtime and remediation costs; no data exfiltration capability has been documented. According to MITRE ATT&CK (T1498 – Network Denial of Service), Persirai aligns with IoT-based DDoS techniques, and its impact is magnified by the sheer volume of unpatched cameras.
🛡️ Mitigation
Recommended defensive measures include applying firmware updates to IP cameras that patch CVE-2017-8225, disabling the GoAhead web server's CGI functionality if not required, and segmenting IoT devices on a separate network with strict outbound firewall rules. Detection rules can be implemented via Snort or Suricata signatures matching the HTTP request pattern for "/cgi-bin/ConfigChk" and the specific User-Agent string. Security tools such as Trend Micro's Deep Security and TippingPoint (DVLabs) provided virtual patches and IPS filters upon discovery.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.