Analysis Summary

A new kind of botnet malware known as Gorilla (also known as GorillaBot) has been found by cybersecurity researchers. It is a variation of the Mirai botnet source code that was leaked.

According to the cybersecurity researchers, who discovered the activity last month, between September 4 and September 27, 2024, the botnet issued over 300,000 attack orders, resulting in an astonishing attack density. Every day on average, the botnet has issued no fewer than 20,000 orders intended to mount distributed denial-of-service (DDoS) attacks. According to reports, the botnet attacked colleges, government websites, telecoms, banks, the gaming and gambling industries, and more than 100 countries. The most often attacked nations are now China, the United States, Canada, and Germany.

Gorilla's main DDoS attack methods are UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood. It also added that because UDP is a connectionless protocol, arbitrary source IP spoofing can produce a lot of traffic. Not only does the botnet support a variety of CPU architectures, including ARM, MIPS, x86_64, and x86, but it also can establish a connection with one of five pre-configured command-and-control (C2) servers to receive DDoS commands.

In an intriguing turn of events, the malware also incorporates functionalities that allow it to remotely execute code by taking advantage of a vulnerability in Apache Hadoop YARN RPC. It is noteworthy that the flaw has been exploited in the wild since 2021. Creating a service file called custom.service in the "/etc/systemd/system/" directory and setting it to run automatically each time the system boots up is how persistence on the host is accomplished.

The task assigned to the service is to download and run a shell script called "lol.sh" from a remote server. The "/etc/inittab," "/etc/profile," and "/boot/bootcmd" files now have comparable commands added to them, enabling the shell script to be downloaded and executed during system starting or user login. In addition to introducing several DDoS attack techniques, it concealed critical information using encryption algorithms frequently used by the Keksec group. It also used a variety of strategies to keep long-term control over cloud hosts and IoT devices, exhibiting a high degree of awareness regarding counter-detection as an emerging botnet family.

Impact

• Denial of Service
• Operational Disruption
• Unauthorized Access
• Code Execution

Indicators of Compromise

MD5

• 7f134c477f307652bb884cafe98b0bf2
• 3a3be84df2435623132efd1cd9467b17
• 03a59780b4c5a3c990d0031c959bf7cc
• 5b37be51ee3d41c07d02795a853b8577
• 15f6a606ab74b66e1f7e4a01b4a6b2d7

SHA-256

• b4a2a1900bab5b6e405cc78b72c5d1706c789b309bc1fa27ad746153ccb84004
• 3905126f5f9f7430dee31c207706852e56292291449b563781bc6ee0b540343a
• d4007f1ac2cb3a48db4bde7dbab7255421bf64f768a06492b81087f67a2e6c9c
• e03580729f2f09dbd937d685fc9229959e84c9f329bee7eee16536bb8f9e60cf
• 81c775f9540a66fded643fe4ec53dbbf35742bd3b069d95d689da313fc9b80a9

SHA-1

• f0bd44d4759b20707d00ecfda5c91063810e478d
• 61ddfe346df7cf091f476d7a9658c0c4a271a77a
• 858dd1f037124fb0511269f624c69bea92a1aefc
• 557d567fb1df6cdc1e2ad4ae24e9fc16af1a4f93
• 8b2a21e13123dceced5d7ae40c7a7d2677e9977a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Upgrade your operating system.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.