GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks against targets in over 100 countries between September 4 and 27. 

The botnet, a modified version of Mirai, supports multiple CPU architectures and employs advanced techniques to maintain long-term control over infected devices. 

It leverages encryption algorithms commonly used by the KekSec group to obscure key information, demonstrating a high level of sophistication and evasive capabilities. 

Gorilla Botnet’s targeting of critical infrastructure sectors such as universities, government websites, telecoms, and banks highlights its potential for significant disruption.

A notorious DDoS botnet launched a significant campaign in September 2024, issuing over 300,000 attack commands daily.

Targeting a diverse range of victims across 113 countries, the botnet primarily employed UDP Flood attacks, exploiting the protocol’s connectionless nature for amplified traffic. 

China, the United States, Canada, and Germany bore the brunt of these attacks, with critical infrastructure organizations being particularly vulnerable.

The botnet’s persistent and indiscriminate targeting, combined with its reliance on proven attack methods, poses a significant threat to online services and infrastructure worldwide.

The GorillaBot trojan, a variant of the Mirai family, supports multiple architectures, utilizes a signature message to identify itself, and randomly connects to one of its five built-in C&C servers to receive commands. 

Unlike its predecessor, it offers a wider range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks targeting specific protocols like OpenVPN, Discord, and FiveM.

The analysis by NSFOCUS reveals that GorillaBot employs encryption algorithms preferred by the KekSec group to safeguard critical data strings, while the presence of lol.sh in propagation scripts and code signatures hints at a potential connection to KekSec. 

As a consequence of this, there is a suspicion that GorillaBot is either connected to KekSec or is purposefully employing KekSec’s methods in order to conceal its true origin.

It exhibits persistence beyond typical Mirai botnets by leveraging the “yarn_init” function to exploit a vulnerability in Hadoop YARN RPC, potentially gaining high privileges. 

To ensure its continued operation, GorillaBot creates a service file for automatic startup and attempts to download and execute a malicious script (“lol.sh”) from various locations at system boot, user login, or through custom scripts. 

It is important to note that the bot identifies and avoids honeypots by checking for the presence of the “/proc” filesystem first.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar