Image Source: NSFOCUS
GorillaBot utilizes several different attack methods but favors UDP Flood attacks, followed by ACK Bypass Flood attacks and Valve Source Engine (VSE) Flood attacks. Using the same process as the original Mirai , GorillaBot randomly selects one of five C2 servers to establish a connection and receive commands. GorillaBot employs 19 different distributed denial-of-service (DDOS) attack vectors and encryption algorithms, which the Keksec threat group often utilizes to encrypt key strings. An exploit named “yarn_init” is written into the code that uses a vulnerability in Hadoop Yarn RPC that allows for remote code execution without authentication. To maintain persistence, GorillaBot writes the “custom.service” file into the /etc/systemd/system directory and sets it to run automatically upon system boot. There is also a check to determine if the /proc file system exists on the infected device and if the system is a honeypot. Recommendations- Monitor network traffic, checking for any abnormal increases that could indicate the beginning of a DDOS attack.
- Regularly check for and remediate exploitable security flaws and vulnerabilities.
- Distribute servers and critical data in multiple data centers to ensure they are on different networks with diverse paths.
- Keep all devices patched with the latest security updates.
- Review the DDOS Attack Types and Mitigation Strategies NJCCIC Product for more information on DDOS attacks.
- Read more about IoT Devices and best practices in the IoT Device Security and Privacy NJCCIC product.
