A new variant of the Mirai malware, known as GorillaBot, has been causing a surge in Distributed Denial-of-Service (DDoS) attacks in recent weeks. According to reports, there have been a total of 300,000 attacks launched by GorillaBot, affecting approximately 20,000 organizations worldwide. Among those impacted, nearly 4,000 were based in the United States.
The attacks conducted by GorillaBot primarily involved overwhelming target networks with a flood of User Datagram Protocol (UDP) packets, as well as TCP ACK Bypass flood attacks. UDP packets are lightweight units of data commonly associated with activities like gaming and video streaming. On the other hand, TCP ACK Bypass flood attacks involve flooding a target with spoofed TCP Acknowledgement (ACK) packets aimed at overwhelming a specific port.
Researchers at NSFocus, who have been monitoring GorillaBot’s activities, observed the threat actor behind the attacks utilizing different architectures such as ARM, MIPS, x86_64, and x86. The malware was found to reuse certain elements of the Mirai source code, with a distinct signature message that reads, ‘gorilla botnet is on the device ur not a cat go away [sic].’ This led to the naming of this new variant as GorillaBot.
NSFocus also noted that GorillaBot’s botnet controller operated through five built-in command-and-control servers (C2s), issuing a high volume of attack commands on a daily basis. At its peak, the botnet launched 20,000 attack commands in a single day, targeting organizations in 113 countries. Notably, China experienced the most significant impact from these attacks, followed by the US, Canada, and Germany.
Despite its origins in the Mirai code, GorillaBot has expanded its DDoS attack capabilities with a total of 19 attack methods, including UDP floods, TCP Syn, and ACK packets. Mitigating such multivector attacks can be challenging for organizations as each attack vector may require a different approach to mitigation. For example, handling UDP flood attacks may involve rate limiting, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to lessen the impact. On the other hand, mitigating SynAck flood attacks requires the use of stateful firewalls, SYN cookies, and intrusion-detection systems to manage TCP connections and ensure the processing of only valid ACK packets.
The rise of bad bots like GorillaBot has been a growing concern in recent years, with these malicious entities contributing significantly to internet traffic. A recent report from Imperva revealed that bad bot traffic now accounts for 32% of all online traffic, up from 23.6% in 2013. Additionally, 12.4% of bad bot attacks in 2023 were identified as DDoS attacks, highlighting the prominent role of bad bots in disruptive activities.
In conclusion, the emergence of the GorillaBot variant of the Mirai malware has underscored the persistent threat of DDoS attacks on global organizations. With the evolving capabilities of such malware variants, organizations must remain vigilant and adopt robust security measures to defend against these malicious activities.