Verticals Targeted: Education, Government, Telecommunications, Financial, Gaming
What is GorillaBot?
GorillaBot is an offshoot of Mirai and is capable of targeting a variety of architectures, including ARM, MIPS, x86_64, and x86. For DDoS, GorillaBot uses UDP flood, ACK BYPASS flood, VSE flood, SYN flood, and ACK flood. Using the connectionless UDP protocol facilitates high attack traffic in relation to the limited number of bots used.
During the high volume of attacks in September, GorillaBot targeted over 100 countries. Of the over 20,000 targets affected, China and the US had the most victims. Targeted entities included those in the education, government, telecommunications, financial, and gaming sectors. At least 40 targets were critical infrastructure entities.
NSFocus researchers noted that GorillaBot uses DDoS attack methods and encryption algorithms typically associated with KekSec. GorillaBot is sophisticated, using multiple techniques to maintain persistence and showing a high level of counter-detection awareness. PolySwarm analysts consider GorillaBot to be an emerging threat due to its sophistication and the recent demonstration of its capability for high-volume attacks.
IOCs
PolySwarm has multiple samples of GorillaBot.
f6b1ee2f727b3a5a5ee7228e4d11e6d8fb0d7b85e32df6249056abd3f414b1c4
7034458e149594f2cf72bc861c18f50151ba6d3aff918a32b7041679cab765c6
b4a2a1900bab5b6e405cc78b72c5d1706c789b309bc1fa27ad746153ccb84004
3905126f5f9f7430dee31c207706852e56292291449b563781bc6ee0b540343a
d4007f1ac2cb3a48db4bde7dbab7255421bf64f768a06492b81087f67a2e6c9c
e03580729f2f09dbd937d685fc9229959e84c9f329bee7eee16536bb8f9e60cf
81c775f9540a66fded643fe4ec53dbbf35742bd3b069d95d689da313fc9b80a9
You can use the following CLI command to search for all GorillaBot samples in our portal:
$ polyswarm link list -f GorillaBot
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.