NSFocus analysts have recently identified a new botnet called “GorillaBot,” which has swiftly established itself as a formidable player in the landscape of Distributed Denial of Service (DDoS) attacks. This botnet, a modified version of the well-known Mirai malware, has launched an unprecedented cyber-attack campaign that has issued over 300,000 commands in just 24 days, affecting a total of 113 countries. The most impacted regions include China (20% of the attacks), the United States (19%), Canada (16%), and Germany (6%). The scale and intensity of this campaign underline the growing sophistication of DDoS threats in today’s cyber landscape.
GorillaBot distinguishes itself by supporting a wide array of CPU architectures, including ARM, MIPS, x86_64, and x86. This versatility allows it to target a variety of devices, significantly broadening its attack surface. The botnet employs several DDoS attack methods, with UDP Flood accounting for 41% of its operations, followed by ACK BYPASS Flood (24%) and VSE Flood (12%). Its ability to effectively utilize these methods demonstrates a well-coordinated approach to overwhelming target systems, which often results in substantial disruption and downtime for affected organizations.
The botnet’s attack strategy includes targeting critical sectors such as universities, government websites, telecommunications, banking, and gaming platforms. GorillaBot utilizes advanced techniques to maintain control over compromised Internet of Things (IoT) devices and cloud hosts. Analysts note that it employs encryption algorithms associated with the KekSec group, enabling it to obscure vital information and enhance its evasion tactics. This level of sophistication not only complicates detection efforts but also indicates a significant evolution in the tactics used by cybercriminals.
To ensure persistence and maximize its impact, GorillaBot implements a range of mechanisms, including creating system files and scripts that facilitate automatic execution upon system startup. This includes a “custom.service” file in /etc/systemd/system/, modifications to essential files like /etc/inittab and /etc/profile, and a “mybinary” script in /etc/init.d/. By leveraging vulnerabilities such as unauthorized access through the “Hadoop Yarn RPC” function, GorillaBot poses a serious threat to the cybersecurity landscape. With its advanced capabilities and extensive attack vectors, GorillaBot is a stark reminder of the evolving and increasingly dangerous nature of cyber threats.