“GorillaBot: Unleashing Global Havoc with Advanced DDoS Tactics and Stealth Persistence”
Analyzing GorillaBot: The New Botnet on the Block and Its Global Impact
In the ever-evolving landscape of cybersecurity threats, a new menace has emerged that has researchers and IT professionals on high alert. Dubbed GorillaBot, this new botnet malware variant is a sinister evolution of the infamous Mirai botnet, whose source code was leaked online, sparking a new wave of cyber threats. According to the latest findings by cybersecurity firm NSFOCUS, GorillaBot has been particularly active, issuing an alarming 300,000 attack commands in just under a month. This staggering number translates to an average of 20,000 commands per day, each designed to cripple systems through distributed denial-of-service (DDoS) attacks.
The scope of GorillaBot’s reach is truly global, with attacks reported in over 100 countries. The targets are as varied as they are critical – universities, government websites, telecoms, banks, and even the gaming and gambling sectors have not been spared. The most affected nations include major global players such as China, the U.S., Canada, and Germany. This widespread impact underscores the botnet’s capabilities and the serious threat it poses to global internet stability and security.
GorillaBot employs a range of techniques to launch its DDoS attacks. These include UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. The use of UDP flood is particularly concerning due to the protocol’s connectionless nature, which allows for the spoofing of source IP addresses. This makes it possible for attackers to generate massive amounts of traffic anonymously, complicating efforts to trace the attacks back to their origins.
Moreover, GorillaBot is not just versatile in its attack methods; it also supports multiple CPU architectures including ARM, MIPS, x86_64, and x86. This compatibility allows it to infiltrate a wide range of systems, from individual IoT devices to large-scale cloud hosts. Once embedded in a system, GorillaBot connects with one of five predefined command-and-control (C2) servers to receive further instructions for DDoS attacks.
Adding to its sophistication, GorillaBot exploits a known vulnerability in Apache Hadoop YARN RPC for remote code execution—a flaw that has been exploited since as far back as 2021. This capability not only allows the botnet to gain control over systems but also demonstrates its creators’ deep understanding of existing vulnerabilities that can be leveraged for malicious purposes.
Persistence is a key feature of GorillaBot. It achieves this by creating a service file named custom.service in the “/etc/systemd/system/” directory of infected systems. This file is configured to automatically execute at system startup, ensuring that the malware remains active even after the system is rebooted. Additional commands are embedded in other system files like “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd,” which trigger the download and execution of a shell script from a remote server upon system startup or user login.
The implications of such a botnet are deeply concerning. Not only does GorillaBot demonstrate advanced capabilities in launching DDoS attacks, but it also shows a high level of sophistication in maintaining control over infected systems and evading detection. Its use of encryption algorithms commonly employed by the Keksec group to conceal key information further highlights its potential for long-term impact on global cybersecurity.
As we stand witness to this new threat, the need for robust cybersecurity measures has never been more apparent. The emergence of GorillaBot serves as a stark reminder of the ongoing arms race between cybercriminals and defenders—a race that affects us all, from ordinary internet users to large corporations and governments.
