GorillaBot (Botnet) – Malware

Overview

In the ever-evolving landscape of cybercrime, new and increasingly sophisticated malware families regularly emerge, posing unprecedented threats to organizations across the globe. One such threat is GorillaBot, a botnet malware discovered in September 2024 that has quickly gained notoriety for its potent and high-volume Distributed Denial of Service (DDoS) attacks. Designed as a modified variant of the infamous Mirai botnet, GorillaBot is a formidable force, capable of targeting a wide range of infrastructures and services, from universities and government websites to telecoms and banks. Within a span of just a few weeks, GorillaBot orchestrated over 300,000 DDoS attack commands, affecting more than 20,000 targets across 113 countries.

What sets GorillaBot apart from its predecessors is its technological advancements and adaptability. While it retains the foundational code of Mirai, it introduces a wealth of new attack methods and exploits that make it a significantly more dangerous adversary. Supporting a variety of CPU architectures, including ARM, MIPS, x86_64, and x86, GorillaBot is able to infect a broader range of devices, from Internet of Things (IoT) gadgets to cloud hosts. Its ability to use sophisticated encryption algorithms, often linked to the KekSec group, allows it to obscure critical information, evading detection and making it harder to counter. This heightened level of sophistication marks a turning point in the evolution of botnets and poses a significant challenge to cybersecurity defenses worldwide.

Targets

Information

Public Administration

How they operate

One of the key technical features of GorillaBot is its multi-architecture support, which allows it to infect a wide range of devices, including those running on ARM, MIPS, x86_64, and x86 architectures. This versatility ensures that GorillaBot can target various Internet of Things (IoT) devices and cloud hosts, which are often less secure and more susceptible to exploitation. By leveraging the vulnerabilities in these diverse devices, GorillaBot can establish a large-scale botnet, making it capable of launching high-volume attacks without needing to rely on any single device or network.

Once installed on a device, GorillaBot connects to one of its command and control (C&C) servers—it has five built-in C&C servers, which it connects to randomly. This randomness adds an extra layer of resilience to the botnet, making it harder for defenders to take down all C&C infrastructure at once. GorillaBot uses an online process similar to Mirai to establish communication with its C&C servers. Once connected, the botnet awaits further instructions, receiving commands that enable it to carry out various types of attacks, including UDP flooding, ACK BYPASS flooding, and VSE flooding. These attack methods are designed to overwhelm target systems by flooding them with traffic, exploiting vulnerabilities in network protocols to cause server outages or slowdowns.

The attack vectors employed by GorillaBot are varied and sophisticated. The malware’s core functionality includes a list of 19 different attack methods, ranging from generic UDP flooding to more targeted attack strategies, such as TCP SYN flooding and UDP Discord flooding. These attack methods make GorillaBot highly versatile in how it conducts DDoS attacks. Notably, UDP flooding is particularly favored due to its ability to spoof source IP addresses, making it difficult for victims to trace the origin of the attack. This connectionless attack method allows GorillaBot to generate high volumes of traffic even with a relatively small botnet, significantly amplifying the damage caused by its attacks.

What makes GorillaBot especially dangerous is its stealth capabilities. The malware uses advanced encryption algorithms, which are typically associated with the KekSec group. This encryption ensures that crucial data within the botnet’s code, such as command instructions and communication protocols, remain hidden from detection tools. The use of encryption complicates efforts to reverse-engineer the malware or analyze its network traffic. Additionally, GorillaBot’s use of signature strings like “gorilla botnet is on the device ur not a cat go away” serves to identify its presence on infected systems, making it easier for researchers to distinguish it from other botnets.

GorillaBot also incorporates sophisticated persistence mechanisms that allow it to maintain long-term control over compromised devices. Unlike traditional Mirai variants, GorillaBot includes a function known as yarn_init, which exploits vulnerabilities in the Hadoop Yarn RPC protocol. This vulnerability allows the botnet to gain unauthorized access to affected devices, providing the attacker with persistent control. Through this exploitation, GorillaBot ensures that infected devices remain under its control even if initial compromises are detected and mitigated.

In conclusion, GorillaBot’s technical design represents a major shift in the functionality of botnet malware. Its multi-architecture support, diverse attack vectors, encryption techniques, and persistent control mechanisms make it a formidable threat. As cybercriminals continue to refine and evolve their strategies, GorillaBot highlights the growing complexity and sophistication of modern cyberattacks. For organizations seeking to defend against such threats, it is crucial to implement proactive security measures that address both detection and mitigation strategies, ensuring they are prepared for the next wave of advanced malware like GorillaBot.

References

• Over 300,000! GorillaBot: The New King of DDoS Attacks