Gorilla Botnet

Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that is a variant of the leaked Mirai botnet source code.

Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. No less than 20,000 commands designed to mount distributed denial-of-service (DDoS) attacks have been issued from the botnet every day on average.

Cybersecurity

The botnet is said to have targeted more than 100 countries, attacking universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany have emerged as the most attacked countries.

The Beijing-headquartered company said Gorilla primarily uses UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood to conduct the DDoS attacks, adding the connectionless nature of the UDP protocol allows for arbitrary source IP spoofing to generate a large amount of traffic.

Besides supporting multiple CPU architectures such as ARM, MIPS, x86_64, and x86, the botnet comes with capabilities to connect with one of the five predefined command-and-control (C2) servers to await DDoS commands.

In an interesting twist, the malware also embeds functions to exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution. It's worth noting that the shortcoming has been abused in the wild as far back as 2021, according to Alibaba Cloud and Trend Micro.

Persistence on the host is achieved by creating a service file named custom.service in the "/etc/systemd/system/" directory and configuring it to run automatically every time at system startup.

Cybersecurity

The service, for its part, is responsible for downloading and executing a shell script ("lol.sh") from a remote server ("pen.gorillafirewall[.]su"). Similar commands are also added to "/etc/inittab," "/etc/profile," and "/boot/bootcmd" files to download and run the shell script upon system startup or user login.

"It introduced various DDoS attack methods and used encryption algorithms commonly employed by the Keksec group to hide key information, while employing multiple techniques to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness as an emerging botnet family," NSFOCUS said.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.