Having launched over 300K DDoS attacks, with more than 20K happening each day, Gorilla Botnet is a serious cyber threat,
Known as Gorilla or GorillaBot, this botnet is a dangerous evolution of the Mirai botnet, built using its leaked source code.
The DDoS botnet has struck multiple sectors, including telecommunications, government services, financial institutions, and educational platforms, causing significant disruption.
With attacks reported in over 100 countries, including China, the U.S., Canada, and Germany, the widespread impact of Gorilla highlights the urgent need for better security measures to fight this ongoing threat.
Inside the Gorilla Botnet: The DDoS Tactics Powering Its Attacks
The Gorilla botnetoperates by infiltrating vulnerable IoT devices and servers. It scans for known weaknesses in software and firmware, taking advantage of these flaws to compromise systems. Once a device is breached, it establishes a connection to one of its command-and-control (C2) servers, enabling Gorilla to coordinate large-scale attacks remotely.
After connecting to the C2 server, Gorilla springs into action, launching a series of distributed denial-of-service (DDoS) attacks. Utilizing various methods like UDP Flood, SYN Flood and ACK Flood the botnet overwhelms the target’s network with an excessive amount of traffic. This constant wave of data can cripple services, rendering websites and applications inoperable.
To stay active on infected systems, Gorilla uses various techniques to ensure it keeps control. It creates a service file named custom.service in the /etc/systemd/system/ directory, which automatically runs at system startup. Additionally, Gorilla modifies critical system files, such as /etc/profile and /boot/bootcmd, to execute malicious scripts whenever the system reboots or a user logs in.
Multi-Device Attacks and Key Exploits
The strength of the Gorilla botnet comes from its flexibility, as it can infect devices with different CPU types like ARM, MIPS, x86, and x86_64. It can connect to five set Command-and-Control (C2) servers, allowing it to carry out coordinated DDoS attacks.
Gorilla also takes advantage of a known vulnerability in Apache Hadoop YARN, allowing it to run code remotely on infected systems. This vulnerability has been around since 2021, increasing the risk to targeted networks.
Mitigating the Gorilla Threat
To defend against the Gorilla botnet, organizations must focus on these key strategies:
- Real-Time Threat Intelligence: Implement tools that provide real-time insights into active threats, allowing security teams to anticipate and block botnet attacks like Gorilla before they strike.
- Advanced DDoS Protection: Implement DDoS protection solutions like AppTrana which includes features such as real time threat monitoring, behavioural analysis of bot traffic and unmetered DDoS protection. This will ensure that even botnet driven volumetric DDoS attacks are effectively neutralized, safeguarding critical infrastructure and services.
- Regular Security Updates and Patches: Ensure all systems are regularly updated and patched to close vulnerabilities that Gorilla could exploit. Prioritize patching for network devices, IoT systems, and web applications.
- Network Segmentation and Isolation: Divide your network into secure segments to limit the spread of the botnet if one area is compromised. Isolating critical assets reduces the impact of any breach.
- Continuous Monitoring and Incident Response: Set up 24/7 monitoring to detect unusual traffic early. Establish a clear incident response plan to quickly address and neutralize any attack when detected.
