The malware has been designed to hijack vulnerable devices globally, turning them into tools for distributed denial-of-service (DDoS) attacks and other malicious activities. Built on the infamous Mirai botnet framework, GorillaBot represents a sophisticated malware evolution. Unlike its predecessor, Mirai, GorillaBot incorporates custom encryption algorithms and anti-debugging measures, making it significantly harder to detect and analyze. A new botnet named “GorillaBot,” has orchestrated over 300,000 attack commands across more than 100 countries within a span of just three weeks. By introducing new encryption methods and evasion tactics, attackers have demonstrated how older malware can be revitalized into formidable tools for cybercrime. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Additionally, GorillaBot uses anti-debugging measures such as inspecting the TracerPid field in /proc/self/status to detect if debugging tools are monitoring it. Before initiating its primary operations, the malware performs checks to identify whether it is running in a virtualized or containerized environment, often used by researchers for analysis. Discovered by the NSFOCUS Global Threat Hunting team, GorillaBot’s activity was tracked between September 4 and September 27, during which it executed its massive wave of attacks. Learn more about evasion malware’s ability to process both simple and complex attack instructions, which mirrors the functionality of Mirai but with added sophistication. RUN explains that these enhancements allow it to evade traditional security measures while maintaining robust communication with its command-and-control (C2) servers. ANY.RUN’s interactive sandbox provides multiple benefits for in-depth malware analysis. GorillaBot’s operation begins with its infection of devices through vulnerabilities in Internet of Things (IoT) systems or other poorly secured endpoints. This communication is secured using a custom XTEA-like cipher, which encrypts and decrypts data exchanged between the botnet and its controllers. Once authenticated, GorillaBot receives encoded attack commands that are decrypted and parsed for execution. As GorillaBot continues its global rampage, the need for coordinated international efforts to tackle botnets has never been more critical. It leverages advanced encryption and evasion techniques to target industries ranging from telecommunications to finance and education. The malware also employs an advanced authentication mechanism involving the generation of a unique SHA-256-based token. These commands direct the botnet to launch targeted attacks against specific systems or networks. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Once compromised, the malware establishes communication with its C2 server using raw TCP sockets. GorillaBot’s creators have incorporated multiple layers of evasion techniques to avoid detection.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Mar 2025 16:20:16 +0000