A newly active botnet, dubbed “Gorilla Botnet,” has unleashed a gargantuan wave of cyberattacks this past September, according to the NSFOCUS Global Threat Hunting System.
During a surge in activity from September 4 to September 27, Gorilla Botnet issued more than 300,000 distributed denial-of-service (DDoS) attack commands—an unprecedented level of attack density.
The botnet’s targets spanned over 100 countries, with China and the United States experiencing the brunt of the attacks.
Among the sectors affected were universities, government websites, telecommunications, banks, as well as gaming and gambling industries.
Emerging Threat: A New Twist on the Mirai Source Code
Gorilla Botnet is a modified offshoot of the notorious Mirai botnet. It supports various CPU architectures, including ARM, MIPS, x86, and x86_64, making it adaptable to a wide range of devices. However, unlike its predecessors, Gorilla Botnet employs advanced encryption techniques commonly associated with the KekSec group to obscure key data, ensuring long-term control over compromised IoT devices and cloud hosts.
These adaptations shine a light on the botnet’s sophistication and counter-detection capabilities.
The botnet’s code shows a distinct message that reads, “gorilla botnet is on the device ur not a cat go away” which has given rise to its name, Gorilla Botnet.
Much like Mirai, it employs five built-in command and control (C&C) servers and offers a wide range of DDoS attack vectors—19 in total. Among the most popular methods are UDP Flood (41%), ACK Bypass Flood (24%), and VSE Flood (12%).
Attack Density and Geographical Reach
NSFOCUS says Gorilla’s command issuance peaked at over 20,000 per day, maintaining an almost constant flow of attack traffic over a 24-hour period. Most of the attacks were concentrated in China, which made up 20% of total activity, with the US hot on its heels with (19%). Canada followed with (16%), and Germany (6%).
Gorilla Botnet attacked a whopping 20,000 distinct targets in 113 countries. It has shown a clear preference for using the connectionless UDP protocol, enabling malicious actors to spoof source IP addresses to generate vast amounts of traffic.
Advanced Capabilities and Persistent Presence
Gorilla Botnet displays an alarming level of tenacity. Its code includes functions to exploit vulnerabilities in Hadoop’s YARN Remote Procedure Call (RPC) system, arming the botnet with elevated privileges on compromised systems. Once a system is compromised, Gorilla Botnet uses several tricks to maintain a toehold.
For instance, it creates a service file within the system to download and execute malicious scripts upon startup, and it modifies system startup files to bolster its presence.
It also features code designed to counteract honeypots— commonly used by cybersecurity teams to detect and analyze botnet activity. This indicates a fairly sophisticated level of awareness, helping the botnet to evade security nets and extend its tentacles further.
The Implications for Cybersecurity
With its advanced encryption, persistence mechanisms, and a high level of adaptability across multiple platforms, Gorilla Botnet poses a serious threat to critical infrastructure and vulnerable IoT systems worldwide.
NSFOCUS’s data also highlights the potential risks to various industries and government agencies, underscoring the urgent need for robust cybersecurity measures.
As cyber threats like Gorilla Botnet evolve, it is critical for organizations to adopt comprehensive protection, such as a Web Application Firewall or other anti-DDoS solutions.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
