New Gorilla Botnet Unleashes Over 300,000 DDoS Attacks Across 100 Countries
Cybersecurity is facing a new menace, and its name is Gorilla—otherwise known as GorillaBot. This botnet, a variant of the notorious Mirai botnet, has unleashed a torrent of Distributed Denial-of-Service (DDoS) attacks, surpassing 300,000 assaults across 100 countries within just a few weeks. According to cybersecurity firm NSFOCUS, this relentless wave of attacks occurred between September 4 and September 27, 2024, creating global havoc.
Table of Contents
The Extent of the Gorilla Botnet’s Reach
In just under a month, the Gorilla botnet has issued an average of 20,000 DDoS attack commands per day. Countries like the U.S., China, Canada, and Germany have emerged as its primary targets, with a wide range of sectors—universities, telecom providers, banks, and even the gaming and gambling industries—being hit. What makes this even more alarming is the scale at which these attacks are happening.
The botnet primarily utilizes various attack vectors, including UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. These methods are designed to overwhelm the targeted systems with traffic, making it difficult, if not impossible, for them to function normally. Of particular concern is the use of UDP flood attacks, which exploit the connectionless nature of the UDP protocol to generate an overwhelming amount of traffic by spoofing source IP addresses.
A Highly Sophisticated Malware
Beyond its sheer volume, what sets the Gorilla botnet apart is its sophistication. The botnet is designed to work across multiple CPU architectures, including ARM, MIPS, x86_64, and x86, allowing it to infiltrate a wide array of devices. Once the malware infects a system, it connects to one of five predefined command-and-control (C2) servers to receive new DDoS commands.
Additionally, the malware takes advantage of a known vulnerability in Apache Hadoop YARN RPC, a flaw that has been exploited since 2021. By doing so, the Gorilla botnet achieves remote code execution on infected devices, giving it the ability to maintain long-term control over these systems. Persistence is ensured by creating service files that automatically execute a shell script whenever the system starts up or a user logs in.
Counter-Detection Strategies
What’s truly worrying about Gorilla is how well it evades detection. According to NSFOCUS, the botnet employs encryption techniques to obscure key information, making it difficult for cybersecurity professionals to detect and neutralize the malware. It also borrows encryption methods from the Keksec group, a notorious collective known for developing malware aimed at IoT devices and cloud systems. The combination of these strategies allows the Gorilla botnet to maintain control over infected devices for extended periods without being detected.
Why You Should Care
The Gorilla botnet’s rapid expansion and its ability to carry out large-scale DDoS attacks across such a wide range of sectors make it a formidable threat to businesses, governments, and individuals alike. As IoT devices become increasingly common in homes and industries, the risk of botnet-driven attacks continues to grow. For organizations, especially those in the targeted sectors, taking immediate steps to strengthen cybersecurity defenses is crucial to mitigating these kinds of attacks.
The emergence of the Gorilla botnet is a stark reminder that cyber threats are evolving, becoming more aggressive and sophisticated. Whether you're an individual managing IoT devices at home or an enterprise running critical infrastructure, staying ahead of these threats requires constant vigilance and proactive cybersecurity measures. With botnets like Gorilla in the wild, now is not the time to be complacent.
Organizations should work closely with cybersecurity firms and stay updated on the latest vulnerabilities and threats to protect their networks.