A Distributed Denial of Service (DDoS) attack seeks to disrupt the normal operations of a targeted server, service, or network by overwhelming it with excessive internet traffic. This is typically executed through a network of compromised devices, known as a botnet, which inundates the target with numerous requests, thereby consuming its bandwidth and resources.
GorillaBot Emerges as a Dominant Force in DDoS Attacks
In September 2024, NSFocus analysts identified a powerful botnet named GorillaBot, a modified variant of the Mirai malware, which launched an extensive cyber-attack campaign. Over a span of 24 days, GorillaBot executed more than 300,000 DDoS attack commands targeting 113 countries, with the most affected nations being:
- China (20%)
- United States (19%)
- Canada (16%)
- Germany (6%)
GorillaBot is compatible with various major CPU architectures, including ARM, MIPS, x86_64, and x86. The botnet utilized several attack methods, including:
- UDP Flood (41%)
- ACK BYPASS Flood (24%)
- VSE Flood (12%)
Targeted Sectors and Attack Techniques
The Gorilla Botnet specifically targeted sectors such as universities, government websites, telecommunications, banks, and gaming platforms. It employed encryption algorithms associated with the KekSec group to obscure vital information and used multiple techniques to maintain long-term control over IoT devices and cloud hosts.
GorillaBot’s infrastructure includes five built-in command and control (C&C) servers, randomly selected for connections, and boasts 19 different attack vectors, indicating a sophisticated approach according to NSFocus. The botnet exploits the Hadoop Yarn RPC unauthorized access vulnerability through a function called “yarn_init,” which can potentially provide attackers with elevated privileges.
Persistence Mechanisms
To ensure persistence, GorillaBot creates various system files and scripts, including:
- A custom.service file in
/etc/systemd/system/
for automatic startup. - Modifications to
/etc/inittab
and/etc/profile
. - An entry in
/boot/bootcmd
for execution at system boot or user login. - A mybinary script in
/etc/init.d/
with a symbolic link in/etc/rc.d/rc.local
or/etc/rc.conf
.
These methods facilitate the automatic download and execution of a malicious script named ‘lol.sh’ from http[:]//pen.gorillafirewall.su/
.
Advanced Threat Capabilities
GorillaBot also includes anti-honeypot measures to check for the presence of the /proc filesystem, which helps it detect potential security traps. Its use of specific encryption techniques, the naming of the ‘lol.sh’ script, and certain code signatures suggest a possible link to the KekSec group.
Indicators of Compromise (IOCs)
The following IOCs have been identified in relation to GorillaBot:
- 276adc6a55f13a229a5ff482e49f3a0b
- 63cbfc2c626da269c67506636bb1ea30
- 7f134c477f307652bb884cafe98b0bf2
- 3a3be84df2435623132efd1cd9467b17
- 03a59780b4c5a3c990d0031c959bf7cc
- 5b37be51ee3d41c07d02795a853b8577
- 15f6a606ab74b66e1f7e4a01b4a6b2d7