GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks against targets in over 100 countries between September 4 and 27. 

The botnet, a modified version of Mirai, supports multiple CPU architectures and employs advanced techniques to maintain long-term control over infected devices. 

It leverages encryption algorithms commonly used by the KekSec group to obscure key information, demonstrating a high level of sophistication and evasive capabilities. 

Gorilla Botnet’s targeting of critical infrastructure sectors such as universities, government websites, telecoms, and banks highlights its potential for significant disruption.

Attack commands

A notorious DDoS botnet launched a significant campaign in September 2024, issuing over 300,000 attack commands daily.

Targeting a diverse range of victims across 113 countries, the botnet primarily employed UDP Flood attacks, exploiting the protocol’s connectionless nature for amplified traffic. 

China, the United States, Canada, and Germany bore the brunt of these attacks, with critical infrastructure organizations being particularly vulnerable.

The botnet’s persistent and indiscriminate targeting, combined with its reliance on proven attack methods, poses a significant threat to online services and infrastructure worldwide.

Victim distribution

The GorillaBot trojan, a variant of the Mirai family, supports multiple architectures, utilizes a signature message to identify itself, and randomly connects to one of its five built-in C&C servers to receive commands. 

Unlike its predecessor, it offers a wider range of DDoS attack methods, including UDP, TCP, GRE, and specialized attacks targeting specific protocols like OpenVPN, Discord, and FiveM.

The analysis by NSFOCUS reveals that GorillaBot employs encryption algorithms preferred by the KekSec group to safeguard critical data strings, while the presence of lol.sh in propagation scripts and code signatures hints at a potential connection to KekSec. 

As a consequence of this, there is a suspicion that GorillaBot is either connected to KekSec or is purposefully employing KekSec’s methods in order to conceal its true origin.

Encryption and decryption algorithms

It exhibits persistence beyond typical Mirai botnets by leveraging the “yarn_init” function to exploit a vulnerability in Hadoop YARN RPC, potentially gaining high privileges. 

To ensure its continued operation, GorillaBot creates a service file for automatic startup and attempts to download and execute a malicious script (“lol.sh”) from various locations at system boot, user login, or through custom scripts. 

It is important to note that the bot identifies and avoids honeypots by checking for the presence of the “/proc” filesystem first.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

15 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago