A new cyber threat known as GorillaBot has affected universities, banks, and governments worldwide, causing a wave of Distributed Denial of Service (DDoS) attacks.
A group of researchers from the cybersecurity company NSFOCUS has identified a dangerous variant of the Mirai botnet called GorillaBot, which has launched over 300,000 DDoS attacks in a three-week period, affecting 100 countries. Between September 4 and 27, 2024, the botnet issued an average of 20,000 attack commands daily, successfully saturating the systems of government organizations, universities, telecommunications providers, banks, and gaming and gambling platforms.
The attacks, which have hit China, the United States, Canada, and Germany particularly hard, have focused on generating immense amounts of data traffic to overload and paralyze the services of their victims. According to NSFOCUS experts, the Gorilla botnet employs various attack techniques such as UDP flooding, ACK BYPASS, Valve Source Engine (VSE), SYN, and ACK, allowing it to launch massive and highly destructive attacks.
The GorillaBot botnet is notable not only for the scale of its attacks but also for its sophistication. Gorilla’s structure supports multiple CPU architectures like ARM, MIPS, x86_64, and x86, enabling it to infect a wide range of devices, including IoT devices and cloud servers. Once a device is compromised, the botnet connects to one of its five predefined command and control (C2) servers, from where it receives orders to initiate DDoS attacks.
Furthermore, the malware utilizes a vulnerability in the UDP protocol to spoof IP addresses, generating high volumes of malicious traffic that make detection and blocking difficult. NSFOCUS has pointed out that the connectionless nature of the UDP protocol is crucial in GorillaBot attacks, as it allows attackers to forge source IP addresses and overwhelm the victims’ networks.
One of the most concerning aspects of this botnet is its ability to exploit a vulnerability in Apache Hadoop YARN RPC, allowing it to execute code remotely on compromised systems. This vulnerability, which has been maliciously exploited since 2021, enables attackers to take control of Hadoop servers and expand the scope of their attacks.
The high level of sophistication and resistance to detection demonstrated by GorillaBot has raised alarms among researchers. The botnet has implemented various methods to evade detection, including the use of encryption algorithms commonly employed by the Keksec group, enabling it to hide critical information and maintain control over infected devices for extended periods.
The cybersecurity landscape faces the growing sophistication of botnets like GorillaBot and the ease with which they can exploit known vulnerabilities to launch massive attacks. Security experts warn that the proliferation of IoT devices and the expansion of cloud services have increased the number of attack vectors available to cybercriminals.
The threat of GorillaBot underscores the need for organizations to strengthen their defenses, implement advanced detection solutions, and keep their systems up to date to prevent the exploitation of vulnerabilities like Apache Hadoop YARN RPC. Meanwhile, DDoS attacks continue to be one of the most destructive forms of cybercrime, impacting businesses and public services worldwide.
The cybersecurity community will continue to monitor the behavior of GorillaBot and other malicious actors to prevent future waves of attacks.
Source: Open Security.