Overview
In September 2024, NSFOCUS Global Threat Hunting System monitored a new botnet family calling itself Gorilla Botnet entering an unusually active state. Between September 4 and September 27, it issued over 300,000 attack commands, with a shocking attack density.
During this active period, Gorilla Botnet targeted over 100 countries, with China and the U.S. being the hardest hit. Targets included universities, government websites, telecoms, banks, gaming, and gambling sectors.
Gorilla Botnet supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86, and is a modified version of the Mirai source code. It introduced various DDoS attack methods and used encryption algorithms commonly employed by the KekSec group to hide key information, while employing multiple techniques to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness as an emerging botnet family.
Be proactive in your cybersecurity strategy. Contact us to find out how NSFOCUS Anti-DDoS Solution can help!
Impact Scope
NSFOCUS Global Threat Hunting System monitoring data shows that Gorilla Botnet issued over 300,000 DDoS attack commands in September 2024, with a daily peak of over 20,000 commands. From the timing of the attacks, Gorilla Botnet sent out commands continuously over 24 hours, with a relatively even distribution of commands.
Gorilla Botnet’s attack targets included 113 countries, involving over 20,000 targets. Geographically, China suffered the most severe attacks, accounting for 20% of the total, followed by the U.S. (19%), Canada (16%), and Germany (6%).
Furthermore, monitoring data indicates that Gorilla Botnet initiated multiple attacks against critical infrastructure over the past month, involving over 40 organizations.
In terms of attack methods, Gorilla Botnet tends to use UDP Flood (41%), followed by ACK BYPASS Flood (24%) and VSE Flood (12%).
Due to the limited number of “bots,” using the connectionless UDP protocol allows for arbitrary source IP spoofing to generate relatively high traffic, making UDP flooding attacks particularly favored. In terms of attack implementation, attackers use a large number of self-named DDoS attacks, but still draw from existing attack code.
Sample Analysis
Core Functionality
This trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86_64, and x86. The online package and command parsing module reuse Mirai source code but leave a signature message stating “gorilla botnet is on the device ur not a cat go away,” hence we named this family GorillaBot.
GorillaBot has five built-in command and control (C&C) servers; upon running, it randomly selects one to connect to, establishing a connection with the server using the same online process as Mirai, then waits to receive commands.
Compared to the original Mirai, it has significantly more DDoS attack methods, with a maximum of 19 attack vectors detailed in the table below.
| Vector | Method |
| 0 | attack_udp_generic |
| 1 | attack_udp_vse |
| 3 | attack_tcp_syn |
| 4 | attack_tcp_ack |
| 5 | attack_tcp_stomp |
| 6 | attack_gre_ip |
| 7 | attack_gre_eth |
| 9 | attack_udp_plain |
| 10 | attack_tcp_bypass |
| 11 | attack_udp_bypass |
| 12 | attack_std |
| 13 | attack_udp_openvpn |
| 14 | attack_udp_rape |
| 15 | attack_wra |
| 16 | attack_tcp_ovh |
| 17 | attack_tcp_socket |
| 18 | attack_udp_discord |
| 19 | attack_udp_fivem |
Encryption and Decryption Algorithms
GorillaBot also uses the encryption algorithms favored by the KekSec group to encrypt key strings. Coupled with the signatures left in the malicious samples and the habit of using “lol.sh” as the propagation script name, it is speculated that this group may be related to KekSec or is using KekSec to conceal its true identity.
Persistence and Counter-Honeypot
Additionally, unlike conventional Mirai families, GorillaBot has a function specifically written as “yarn_init,” which integrates code to exploit the Hadoop Yarn RPC unauthorized access vulnerability.
Installing Hadoop YARN typically requires administrator privileges, giving attackers high permissions after exploiting the related vulnerabilities.
For persistence, the GorillaBot trojan creates a service file named custom.service in the /etc/systemd/system/ directory, configured to run automatically at system startup. The primary purpose of the service is to download a script named lol.sh from the remote address http://pen.gorillafirewall.su/ to the /tmp/ directory, set execution permissions, and execute the script.
GorillaBot also adds commands to /etc/inittab, /etc/profile, and /boot/bootcmd to automatically download and execute the lol.sh script upon system startup, user login, or system startup. It creates a script named mybinary in the /etc/init.d/ directory, set to execute at system startup, including actions to download and execute the lol.sh script. It also attempts to add a soft link to mybinary in /etc/rc.d/rc.local or /etc/rc.conf (if not present) for execution at system startup.
Through the attacker’s description “/proc filesystem not found. Exiting. gorilla botnet didnt like this honeypot…” it is inferred that the trojan is also attempting to counter honeypots, such as checking whether the /proc filesystem exists on the controlled device to determine if it is a honeypot.
IOC
276adc6a55f13a229a5ff482e49f3a0b
63cbfc2c626da269c67506636bb1ea30
7f134c477f307652bb884cafe98b0bf2
3a3be84df2435623132efd1cd9467b17
03a59780b4c5a3c990d0031c959bf7cc
5b37be51ee3d41c07d02795a853b8577
15f6a606ab74b66e1f7e4a01b4a6b2d7
