GorillaBot: The New DDoS King with 300,000+ Attack Commands

Gorilla Botnet, a recently discovered botnet, has exhibited unusually high activity, issuing over 300,000 attack commands in less than a month. Targeting over 100 countries, including China and the U.S., the botnet has launched attacks on various sectors such as universities, government websites, and financial institutions.

A modified Mirai variant supports multiple CPU architectures and introduces new DDoS attack methods by using encryption and various techniques to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness. 

It launched a persistent DDoS attack campaign in September 2024, targeting 113 countries with over 300,000 commands issued daily. China experienced the most significant impact, followed by the U.S., Canada, and Germany. The attack distribution was relatively consistent throughout the month.

 Victim distribution

Gorilla Botnet has launched UDP, ACK BYPASS, and VSE flood attacks on over 40 organizations, where UDP flood attacks are favored due to their ability to spoof source IPs and generate high traffic by using existing attack code and self-named DDoS attacks to execute attacks.

A variant of the Mirai botnet supports multiple architectures and leaves a signature message, which reuses Mirai’s online package and command parsing functionality while adding a unique identifier to distinguish itself.

GorrilaBot

By using a random C&C server selection process similar to Mirai, it employs a variety of DDoS attack methods, including UDP, TCP, and GRE-based attacks, by using encryption and decryption algorithms to secure communication with the C&C server. 

GorillaBot uses a random C&C server selection process similar to Mirai by employing a variety of DDoS attack methods, including UDP, TCP, and GRE-based attacks. The bot uses encryption and decryption algorithms to secure communication with the C&C server. 

According to NSFOCUS, it also employs KekSec’s preferred encryption algorithms and shares code signatures with the group, suggesting a possible connection or deliberate obfuscation by the creators. 

 Encryption and decryption algorithms

The bot exploits a Hadoop YARN vulnerability for elevated access, then creates a service to download and execute malicious scripts at system startup, achieving persistence on compromised machines.  

It modifies system startup scripts (/etc/inittab, /etc/profile, /boot/bootcmd) and creates a service (/etc/init.d/mybinary) to download and execute the lol.sh script at login and system startup.

The trojan attempts to identify honeypots by checking for the existence of the `/proc` filesystem. If `/proc` is not found, the trojan exits, indicating it has detected a honeypot and will not proceed with further malicious activity.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here