Gorilla Bot Malware Analysis

I. Targeted Entities
- Financial Institutions
- E-commerce Platforms
- Cryptocurrency Exchanges
- Government Agencies
- Individual Users with High-Value Accounts
II. Introduction
Gorilla Bot is an advanced malware strain first detected in early 2025, specializing in automated credential stuffing, web scraping, and distributed denial-of-service (DDoS) attacks. The malware operates as a botnet-as-a-service, allowing cybercriminals to rent botnet capabilities for various malicious purposes. Gorilla Bot leverages advanced evasion techniques, including rotating IP addresses, encrypted command-and-control (C2) communications, and AI-driven attack automation.
Gorilla Bot traces its lineage to the infamous Mirai botnet, which gained notoriety in 2016 for exploiting Internet of Things (IoT) devices to launch massive DDoS attacks. Mirai’s source code was leaked publicly, leading to the creation of numerous variants. Gorilla Bot is one such derivative, distinguished by its enhanced capabilities and operational sophistication.
While initially believed to have surfaced in late 2024, further research indicates that Gorilla Bot has been active for over a year, suggesting a more prolonged development and deployment phase than previously understood.
Gorilla Bot has been observed infiltrating corporate networks through phishing campaigns and exploiting web application vulnerabilities. Once inside, it rapidly expands by exploiting weak credentials, unpatched software, and misconfigured cloud environments. The malware has been linked to multiple high-profile data breaches, exfiltrating sensitive information from financial institutions and large-scale e-commerce platforms.
III. Additional Background Information
Between September 4 and September 27, 2024, GorillaBot issued over 300,000 attack commands, averaging 20,000 per day. These attacks targeted over 100 countries, with China, the United States, Canada, and Germany being the most affected. Victim sectors included universities, government websites, telecommunications, banking, gaming, and gambling industries. This widespread impact underscores the botnet’s global reach and the diverse range of targets it affects.
The malware’s primary monetization strategies include selling stolen credentials on dark web marketplaces, launching paid DDoS-for-hire attacks, and reselling scraped data to third parties.
Capabilities:
- UDP Flood: Overwhelms the target with User Datagram Protocol packets.
- ACK BYPASS Flood: Exploits TCP acknowledgment packets to bypass filters.
- SYN Flood: Initiates multiple connection requests to exhaust system resources.
- Valve Source Engine (VSE) Flood: Targets gaming servers using the Valve gaming platform.
- ACK Flood: Similar to ACK BYPASS but uses acknowledgment packets more broadly.
Mechanics of the Malware:
GorillaBot operates by infecting a diverse array of devices, including routers, IoT gadgets, and cloud hosts. It supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86, allowing it to compromise a wide range of systems. Upon execution, the malware connects to one of five predefined command-and-control (C2) servers to receive instructions.
Service Installation: It creates a service file named custom.service in the /etc/systemd/system/ directory to ensure it runs at system startup.
Script Execution: The malware downloads and executes a shell script (lol.sh) from a remote server, embedding commands in system files like /etc/inittab, /etc/profile, and /boot/bootcmd to maintain its presence.
Anti-Honeypot Measures: GorillaBot includes checks to detect and avoid analysis environments, such as verifying the existence of the /proc filesystem, a common feature in honeypots.
IV. MITRE ATT&CK Tactics and Techniques
- Initial Access (T1071.001): Gained via phishing emails, malicious browser extensions, and exploit kits.
- Persistence (T1053.005): Uses scheduled tasks and rootkits to maintain long-term control of infected systems.
- Credential Access (T1110.003): Conducts large-scale credential stuffing and brute-force attacks.
- Command and Control (T1095): Employs encrypted channels for stealthy communications with C2 servers.
- Impact (T1498.001): Executes DDoS attacks to disrupt business operations.
V. Recommendations
To mitigate the risk of Gorilla Bot infections, organizations and individuals should implement the following security measures:
Network and Infrastructure Security
- Deploy Web Application Firewalls (WAF) to block automated bot traffic.
- Enable rate-limiting to prevent excessive login attempts.
- Implement multi-factor authentication (MFA) on all critical accounts.
- Regularly update software and patch known vulnerabilities.
User Awareness and Training
- Conduct phishing awareness training to recognize suspicious emails.
- Warn employees about the risks of using reused passwords across services.
Threat Detection and Monitoring
- Monitor logs for unusual login attempts and API abuse.
- Employ behavioral analysis tools to detect automated bot activity.
- Use IP reputation services to block known malicious addresses.
Incident Response Preparedness
- Establish a response plan for large-scale DDoS attacks.
- Ensure data backups are regularly updated and stored securely.
VI. IOCs (Indicators of Compromise)
GorillaBot operates by infecting a diverse array of devices.
Suspicious IP Addresses:
193[.]143[.]1[.]70 (C2 server)
193[.]143[.]1[.]59 (C2 server)
Malicious Domains:
- gorillabot[.]net
- auth-bypass[.]cc
- datastealer[.]ru
File Hashes (SHA-256):
- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- 1f3870be274f6c49b3e31a0c6728957f6c5d7d17b22f0a073b3e3b8e7f23b07f
VII. Additional OSINT Information
- Gorilla Bot operators actively recruit on underground forums using aliases such as “ShadowKing” and “BotMasterX.”
- The malware is frequently distributed through cracked software downloads and malicious browser extensions.
- Security researchers have linked Gorilla Bot’s infrastructure to past cybercrime operations, including ransomware deployment and data exfiltration schemes.
VIII. References
https://www.thousandguards.com/post/gorilla-strength-denial-of-service-for-work-and-play-industries
https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html
https://www.darkreading.com/cyberattacks-data-breaches/gorillabot-goes-ape-cyberattacks-worldwide
https://seniortechinfo.com/gorilla-botnet-launches-300k-ddos-attacks-in-100-countries/
Threat Advisory created by The Cyber Florida Security Operations Center.
Contributing Security Analysts: Nahyan Jamil
To learn more about Cyber Florida visit: www.cyberflorida.org