Insights, news, education and announcements from PolySwarm

GorillaBot

Written by The Hivemind | Oct 23, 2024 3:56:41 PM

Related Families: Mirai
Verticals Targeted: Education, Government, Telecommunications, Financial, Gaming

Executive Summary

Gorilla Botnet, also known as GorillaBot, is a Mirai-based botnet family that recently gained momentum and notoriety.

Key Takeaways

  • Gorilla Botnet, also known as GorillaBot, is a botnet family that recently gained momentum and notoriety. 
  • It was first observed in 2023, but industry researchers did not report on GorillaBot until recently when it was observed in a high-volume attack. 
  • GorillaBot is an offshoot of Mirai and is capable of targeting a variety of architectures, including ARM, MIPS, x86_64, and x86.
  • PolySwarm analysts consider GorillaBot to be an emerging threat due to its sophistication and the recent demonstration of its capability for high-volume attacks. 

What is GorillaBot?

Gorilla Botnet, also known as GorillaBot, is a botnet family that recently gained momentum and notoriety. It was first observed in 2023. However, industry researchers did not report on GorillaBot until recently, when it was observed in a high-volume attack. Between September 4-27th, GorillaBot conducted a series of high-density attacks, issuing over 300,000 attack commands. NSFocus reported on GorillaBot. 

GorillaBot is an offshoot of Mirai and is capable of targeting a variety of architectures, including ARM, MIPS, x86_64, and x86. For DDoS, GorillaBot uses UDP flood, ACK BYPASS flood, VSE flood, SYN flood, and ACK flood. Using the connectionless UDP protocol facilitates high attack traffic in relation to the limited number of bots used.

During the high volume of attacks in September, GorillaBot targeted over 100 countries. Of the over 20,000 targets affected, China and the US had the most victims. Targeted entities included those in the education, government, telecommunications, financial, and gaming sectors. At least 40 targets were critical infrastructure entities. 

NSFocus researchers noted that GorillaBot uses DDoS attack methods and encryption algorithms typically associated with KekSec. GorillaBot is sophisticated, using multiple techniques to maintain persistence and showing a high level of counter-detection awareness. PolySwarm analysts consider GorillaBot to be an emerging threat due to its sophistication and the recent demonstration of its capability for high-volume attacks. 

IOCs

PolySwarm has multiple samples of GorillaBot.

 

f6b1ee2f727b3a5a5ee7228e4d11e6d8fb0d7b85e32df6249056abd3f414b1c4

7034458e149594f2cf72bc861c18f50151ba6d3aff918a32b7041679cab765c6

b4a2a1900bab5b6e405cc78b72c5d1706c789b309bc1fa27ad746153ccb84004

3905126f5f9f7430dee31c207706852e56292291449b563781bc6ee0b540343a

d4007f1ac2cb3a48db4bde7dbab7255421bf64f768a06492b81087f67a2e6c9c

e03580729f2f09dbd937d685fc9229959e84c9f329bee7eee16536bb8f9e60cf

81c775f9540a66fded643fe4ec53dbbf35742bd3b069d95d689da313fc9b80a9

 

You can use the following CLI command to search for all GorillaBot samples in our portal:

$ polyswarm link list -f GorillaBot

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.