Over 300,000! GorillaBot: The New King of DDoS Attacks

Over 300,000! GorillaBot: The New King of DDoS Attacks

September 29, 2024 | NSFOCUS

Overview

In September 2024, NSFOCUS Global Threat Hunting System monitored a new botnet family calling itself Gorilla Botnet entering an unusually active state. Between September 4 and September 27, it issued over 300,000 attack commands, with a shocking attack density.

During this active period, Gorilla Botnet targeted over 100 countries, with China and the U.S. being the hardest hit. Targets included universities, government websites, telecoms, banks, gaming, and gambling sectors.

Gorilla Botnet supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86, and is a modified version of the Mirai source code. It introduced various DDoS attack methods and used encryption algorithms commonly employed by the KekSec group to hide key information, while employing multiple techniques to maintain long-term control over IoT devices and cloud hosts, demonstrating a high level of counter-detection awareness as an emerging botnet family.

Be proactive in your cybersecurity strategy. Contact us to find out how NSFOCUS Anti-DDoS Solution can help!

Impact Scope

NSFOCUS Global Threat Hunting System monitoring data shows that Gorilla Botnet issued over 300,000 DDoS attack commands in September 2024, with a daily peak of over 20,000 commands. From the timing of the attacks, Gorilla Botnet sent out commands continuously over 24 hours, with a relatively even distribution of commands.

Figure 1 Attack commands

Gorilla Botnet’s attack targets included 113 countries, involving over 20,000 targets. Geographically, China suffered the most severe attacks, accounting for 20% of the total, followed by the U.S. (19%), Canada (16%), and Germany (6%).

Figure 2 Victim distribution

Furthermore, monitoring data indicates that Gorilla Botnet initiated multiple attacks against critical infrastructure over the past month, involving over 40 organizations.

In terms of attack methods, Gorilla Botnet tends to use UDP Flood (41%), followed by ACK BYPASS Flood (24%) and VSE Flood (12%).

Due to the limited number of “bots,” using the connectionless UDP protocol allows for arbitrary source IP spoofing to generate relatively high traffic, making UDP flooding attacks particularly favored. In terms of attack implementation, attackers use a large number of self-named DDoS attacks, but still draw from existing attack code.

Figure 3 Attack vectors

Sample Analysis


Core Functionality
This trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86_64, and x86. The online package and command parsing module reuse Mirai source code but leave a signature message stating “gorilla botnet is on the device ur not a cat go away,” hence we named this family GorillaBot.

Figure 4 GorrilaBot

GorillaBot has five built-in command and control (C&C) servers; upon running, it randomly selects one to connect to, establishing a connection with the server using the same online process as Mirai, then waits to receive commands.

Figure 5 C&C

Compared to the original Mirai, it has significantly more DDoS attack methods, with a maximum of 19 attack vectors detailed in the table below.

VectorMethod
0attack_udp_generic
1attack_udp_vse
3attack_tcp_syn
4attack_tcp_ack
5attack_tcp_stomp
6attack_gre_ip
7attack_gre_eth
9attack_udp_plain
10attack_tcp_bypass
11attack_udp_bypass
12attack_std
13attack_udp_openvpn
14attack_udp_rape
15attack_wra
16attack_tcp_ovh
17attack_tcp_socket
18attack_udp_discord
19attack_udp_fivem

Encryption and Decryption Algorithms
GorillaBot also uses the encryption algorithms favored by the KekSec group to encrypt key strings. Coupled with the signatures left in the malicious samples and the habit of using “lol.sh” as the propagation script name, it is speculated that this group may be related to KekSec or is using KekSec to conceal its true identity.

Figure 6 Encryption and decryption algorithms

Persistence and Counter-Honeypot
Additionally, unlike conventional Mirai families, GorillaBot has a function specifically written as “yarn_init,” which integrates code to exploit the Hadoop Yarn RPC unauthorized access vulnerability.

Figure 7 Vulnerability exploitation

Installing Hadoop YARN typically requires administrator privileges, giving attackers high permissions after exploiting the related vulnerabilities.

For persistence, the GorillaBot trojan creates a service file named custom.service in the /etc/systemd/system/ directory, configured to run automatically at system startup. The primary purpose of the service is to download a script named lol.sh from the remote address http://pen.gorillafirewall.su/ to the /tmp/ directory, set execution permissions, and execute the script.

Figure 8 Persistence

GorillaBot also adds commands to /etc/inittab, /etc/profile, and /boot/bootcmd to automatically download and execute the lol.sh script upon system startup, user login, or system startup. It creates a script named mybinary in the /etc/init.d/ directory, set to execute at system startup, including actions to download and execute the lol.sh script. It also attempts to add a soft link to mybinary in /etc/rc.d/rc.local or /etc/rc.conf (if not present) for execution at system startup.

Figure 9 Persistence

Through the attacker’s description “/proc filesystem not found. Exiting. gorilla botnet didnt like this honeypot…” it is inferred that the trojan is also attempting to counter honeypots, such as checking whether the /proc filesystem exists on the controlled device to determine if it is a honeypot.

Figure 10 Honeypot identification

IOC

276adc6a55f13a229a5ff482e49f3a0b

63cbfc2c626da269c67506636bb1ea30

7f134c477f307652bb884cafe98b0bf2

3a3be84df2435623132efd1cd9467b17

03a59780b4c5a3c990d0031c959bf7cc

5b37be51ee3d41c07d02795a853b8577

15f6a606ab74b66e1f7e4a01b4a6b2d7