Cyber Security News

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks against targets in over 100 countries between September 4 and 27. 

The botnet, a modified version of Mirai, supports multiple CPU architectures and employs advanced techniques to maintain long-term control over infected devices. 

It leverages encryption algorithms commonly used by the KekSec group to obscure key information, demonstrating a high level of sophistication and evasive capabilities. 

Gorilla Botnet’s targeting of critical infrastructure sectors such as universities, government websites, telecoms, and banks highlights its potential for significant disruption.

Attack commands

A notorious DDoS botnet launched a significant campaign in September 2024, issuing over 300,000 attack commands daily.

Targeting a diverse range of victims across 113 countries, the botnet primarily employed UDP Flood attacks, exploiting the protocol’s connectionless nature for amplified traffic. 

China, the United States, Canada, and Germany bore the brunt of these attacks, with critical infrastructure organizations being particularly vulnerable.

The botnet’s persistent and indiscriminate targeting, combined with its reliance on proven attack methods, poses a significant threat to online services and infrastructure worldwide.

Victim distribution

The GorillaBot trojan, a variant of the Mirai family, supports multiple architectures, utilizes a signature message to identify itself, and randomly connects to one of its five built-in C&C servers to receive commands. 

Unlike its predecessor, it offers a wider range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks targeting specific protocols like OpenVPN, Discord, and FiveM.

The analysis by NSFOCUS reveals that GorillaBot employs encryption algorithms preferred by the KekSec group to safeguard critical data strings, while the presence of lol.sh in propagation scripts and code signatures hints at a potential connection to KekSec. 

As a consequence of this, there is a suspicion that GorillaBot is either connected to KekSec or is purposefully employing KekSec’s methods in order to conceal its true origin.

Encryption and decryption algorithms

It exhibits persistence beyond typical Mirai botnets by leveraging the “yarn_init” function to exploit a vulnerability in Hadoop YARN RPC, potentially gaining high privileges. 

To ensure its continued operation, GorillaBot creates a service file for automatic startup and attempts to download and execute a malicious script (“lol.sh”) from various locations at system boot, user login, or through custom scripts. 

It is important to note that the bot identifies and avoids honeypots by checking for the presence of the “/proc” filesystem first.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar

Aman Mishra

Recent Posts

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise…

2 hours ago

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization (SEV)…

3 hours ago

Splunk RCE Vulnerability Let Attackers Execute Remote Code

Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…

4 hours ago

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…

5 hours ago

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

19 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

19 hours ago