Gorilla Botnet Swings into Action Wreaks Havoc Worldwide

Threat Group: - Gorilla Botnet
Threat Type: - Botnet (DDoS Attacks)
Exploited Vulnerabilities: - IoT devices, Apache Hadoop YARN RPC vulnerability
Malware Used: - Modified Mirai variant
Threat Score: - High (8.8/10) — due to its advanced techniques, cross-platform capabilities, and impact on critical infrastructure.
Last Threat Observation: - October 7, 2024, by multiple cybersecurity firms including NSFOCUS and Broadcom.

Overview

The Gorilla Botnet is a new, highly active botnet based on the Mirai malware, which has been responsible for launching over 300,000 Distributed Denial-of-Service (DDoS) attacks in more than 100 countries since September 2024. It primarily targets sectors such as telecommunications, universities, government websites, and gaming industries, with the most affected regions being China, the U.S., Canada, and Germany.

Key Details

• Delivery Method: Gorilla Botnet spreads through vulnerabilities in IoT devices and exploits the Apache Hadoop YARN RPC protocol.
• Target: Universities, telecom providers, gaming sectors, banks, and government websites.
• Functions:
  • Supports multiple CPU architectures including ARM, MIPS, x86_64, and x86.
  • Connects to predefined command-and-control (C2) servers to execute DDoS commands.
  • Uses a variety of attack methods including UDP flood, SYN flood, and ACK flood.
• Obfuscation: Uses encryption techniques from the Keksec group to evade detection.

Attack Vectors

The Gorilla Botnet utilizes several sophisticated techniques to perform its attacks:

• DDoS Techniques: The botnet uses UDP flood, SYN flood, ACK flood, and Valve Source Engine (VSE) flood attacks to overwhelm targets.
• Exploitation of Vulnerabilities: It exploits the Apache Hadoop YARN RPC vulnerability to gain remote code execution on targeted systems.
• Persistence: The botnet establishes persistence by creating service files in critical directories, ensuring it restarts with system reboots.

Known Indicators of Compromise (IoCs)

• File Hashes (MD5):
  • 276adc6a55f13a229a5ff482e49f3a0b
  • 63cbfc2c626da269c67506636bb1ea30
  • 7f134c477f307652bb884cafe98b0bf2
  • 3a3be84df2435623132efd1cd9467b17
  • 03a59780b4c5a3c990d0031c959bf7cc
  • 5b37be51ee3d41c07d02795a853b8577
  • 15f6a606ab74b66e1f7e4a01b4a6b2d7
• IP Addresses:
  • 45[.]202[.]35[.]64
• Domains: s
  • pen.gorillafirewall[.]su.

Mitigation and Prevention

• User Awareness: Educate users on the risks associated with IoT devices and best practices for securing them.
• Email Filtering: Implement strict filtering rules to block emails that might contain malicious attachments or links.
• Antivirus Protection: Use robust antivirus software capable of detecting Mirai-based threats.
• Two-Factor Authentication (2FA): Apply 2FA across all systems to prevent unauthorized access.
• Monitor Logs: Continuously monitor network traffic for unusual patterns indicative of DDoS activity.
• Regular Updates: Ensure that all devices, especially IoT hardware, receive firmware updates to patch known vulnerabilities.

Podcast Discussion

Listen to our latest podcast episode where we discuss the implications of the Gorilla Botnet, its attack strategies, and expert advice on mitigating such threats. [Podcast Link Placeholder]

Conclusion

The Gorilla Botnet represents a significant threat to global cybersecurity due to its ability to execute massive DDoS attacks and its use of advanced obfuscation techniques. Organizations must prioritize securing their IoT devices and adopt a proactive approach to detect and prevent such attacks.

Sources

• The Hacker News: New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries
• Cyclonis: New Gorilla Botnet Unleashes Over 300,000 DDoS Attacks
• Security Boulevard: Over 300,000! GorillaBot: The New King of DDoS Attacks
• Broadcom: Gorilla Botnet: A new global threat based on Mirai code