Friday, February 7, 2025
HomeBotnetGorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

Published on

SIEM as a Service

Follow Us on Google News

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks against targets in over 100 countries between September 4 and 27. 

The botnet, a modified version of Mirai, supports multiple CPU architectures and employs advanced techniques to maintain long-term control over infected devices. 

It leverages encryption algorithms commonly used by the KekSec group to obscure key information, demonstrating a high level of sophistication and evasive capabilities. 

Gorilla Botnet’s targeting of critical infrastructure sectors such as universities, government websites, telecoms, and banks highlights its potential for significant disruption.

Attack commands

A notorious DDoS botnet launched a significant campaign in September 2024, issuing over 300,000 attack commands daily.

Targeting a diverse range of victims across 113 countries, the botnet primarily employed UDP Flood attacks, exploiting the protocol’s connectionless nature for amplified traffic. 

China, the United States, Canada, and Germany bore the brunt of these attacks, with critical infrastructure organizations being particularly vulnerable.

The botnet’s persistent and indiscriminate targeting, combined with its reliance on proven attack methods, poses a significant threat to online services and infrastructure worldwide.

Victim distribution

The GorillaBot trojan, a variant of the Mirai family, supports multiple architectures, utilizes a signature message to identify itself, and randomly connects to one of its five built-in C&C servers to receive commands. 

Unlike its predecessor, it offers a wider range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks targeting specific protocols like OpenVPN, Discord, and FiveM.

The analysis by NSFOCUS reveals that GorillaBot employs encryption algorithms preferred by the KekSec group to safeguard critical data strings, while the presence of lol.sh in propagation scripts and code signatures hints at a potential connection to KekSec. 

As a consequence of this, there is a suspicion that GorillaBot is either connected to KekSec or is purposefully employing KekSec’s methods in order to conceal its true origin.

Encryption and decryption algorithms

It exhibits persistence beyond typical Mirai botnets by leveraging the “yarn_init” function to exploit a vulnerability in Hadoop YARN RPC, potentially gaining high privileges. 

To ensure its continued operation, GorillaBot creates a service file for automatic startup and attempts to download and execute a malicious script (“lol.sh”) from various locations at system boot, user login, or through custom scripts. 

It is important to note that the bot identifies and avoids honeypots by checking for the presence of the “/proc” filesystem first.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...