The newly emerged Gorilla Botnet has launched over 300,000 DDoS attacks across 100+ countries from September 4 to 27.
A modified version of Mirai, it supports multiple CPU architectures and uses advanced techniques for long-term control of infected devices.
GorillaBot reigns as DDoS king
The botnet employs encryption algorithms used by the KekSec group to hide key information, showcasing its sophistication and evasiveness.
Gorilla Botnet targets critical infrastructure like universities, government sites, telecoms, and banks, showing its potential for major disruption.
A notorious DDoS botnet launched over 300,000 attacks daily in September 2024, targeting victims in 113 countries using UDP Flood attacks.
China, the U.S., Canada, and Germany were heavily impacted, especially critical infrastructure organizations.
The botnet’s persistent targeting and use of proven methods pose a serious threat to global online services and infrastructure.
The GorillaBot trojan, a variant of Mirai, supports multiple architectures and connects randomly to one of five C&C servers for commands.
It offers a broader range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks on protocols like OpenVPN, Discord, and FiveM.
NSFOCUS analysis shows that GorillaBot uses encryption favored by the KekSec group to protect data, and the presence of lol.sh in its code suggests a possible link to KekSec.
This raises suspicions that GorillaBot may be connected to KekSec or using its methods to hide its origin.
GorillaBot shows greater persistence than typical Mirai botnets by using the “yarn_init” function to exploit a Hadoop YARN RPC vulnerability for high privileges.
To maintain operation, it creates a service file for automatic startup and tries to download a malicious script (“lol.sh”) at boot, user login, or through custom scripts.
Notably, the bot avoids honeypots by checking for the “/proc” filesystem first.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment