The Latest Gorilla Botnet Unleashes Over 300,000 DDoS Attacks Across 100 Global Regions

AndyC 8 October 2024

Oct 07, 2024Ravie LakshmananInternet of Things Security / Botnet

A group of cybersecurity experts has uncovered a fresh botnet malware strain named Gorilla (also known as GorillaBot) which is a modified version of the leaked Mirai botnet source c

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Oct 07, 2024Ravie LakshmananInternet of Things Security / Botnet

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

A group of cybersecurity experts has uncovered a fresh botnet malware strain named Gorilla (also known as GorillaBot) which is a modified version of the leaked Mirai botnet source code.

NSFOCUS, a cybersecurity company that detected this activity last month, mentioned that the botnet “executed more than 300,000 assault instructions, displaying an astonishing assault density” from September 4 to September 27, 2024. An average of 20,000 instructions intended for launching distributed denial-of-service (DDoS) strikes were dispatched from the botnet each day.

Cybersecurity

Reportedly, the botnet has launched assaults on over 100 nations, targeting educational institutions, government portals, telecommunications services, financial institutions, as well as the gaming and wagering sectors. Notably, China, the United States, Canada, and Germany have emerged as the most heavily targeted regions.

It was revealed that the Gorilla botnet mainly deploys UDP flood, ACK BYPASS flood, Valve Source Engine (VSE) flood, SYN flood, and ACK flood techniques for executing DDoS onslaughts. The botnet utilizes the connectionless aspect of the UDP protocol to engage in random source IP spoofing and generate substantial traffic volumes.

In addition to supporting different CPU architectures like ARM, MIPS, x86_64, and x86, the botnet is equipped with capabilities to connect to one of the five predefined command-and-control (C2) servers to receive DDoS directives.

Interestingly, the malware incorporates functionalities to exploit a security vulnerability in Apache Hadoop YARN RPC for remote code execution. Notably, this weakness has been exploited in the wild as early as 2021, as noted by Alibaba Cloud and Trend Micro.

Persistence on the host system is established by creating a service file dubbed custom.service in the “/etc/systemd/system/” directory and configuring it to launch automatically during system boot-up.

Cybersecurity

The service is responsible for downloading and executing a shell script (“lol.sh”) from a remote server (“pen.gorillafirewall[.]su”). Similar commands are injected into “/etc/inittab,” “/etc/profile,” and “/boot/bootcmd” files to fetch and run the shell script during system boot or user login.

“It introduced various DDoS attack methods and used encryption algorithms commonly employed by the Keksec group to conceal crucial details, in addition to employing multiple strategies to retain extended control over IoT devices and cloud hosts, showcasing a high degree of evasion techniques as an emerging botnet family,” as stated by NSFOCUS.

Found this article engaging? Stay updated by following us on Twitter and LinkedIn for more exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

The Case for Dynamic AI-SaaS Security as Copilots Scale

The Case for Dynamic AI-SaaS Security as Copilots Scale

AndyC 19 December 2025
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

AndyC 19 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025

You may have missed

Blog-5-300x200-1.jpg

How To Spot Health Insurance Scams This Open Enrollment Season

AndyC 19 December 2025
U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025
2025 Federal Retrospective: The Year of Resilient Innovation

2025 Federal Retrospective: The Year of Resilient Innovation

AndyC 19 December 2025
The Biggest Cyber Stories of the Year: What 2025 Taught Us

The Biggest Cyber Stories of the Year: What 2025 Taught Us

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.