๐ ๐๐๐ฐ ๐ ๐๐๐ ๐จ๐ ๐๐ง ๐๐ฅ๐ ๐๐ก๐ซ๐๐๐ญ
GorillaBot reuses significant portions of Miraiโs original code but introduces its own enhancements, including custom encryption schemes, raw TCP communication, and advanced anti-analysis techniques.
It stands out for its ability to evade detection in containerized environments and honeypots, making it a more elusive threat than its predecessors.
๐๐๐ฒ ๐๐๐ค๐๐๐ฐ๐๐ฒ๐ฌ ๐๐ซ๐จ๐ฆ ๐ญ๐ก๐ ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ
ยท ๐๐๐ถ๐น๐ ๐ผ๐ป ๐ ๐ถ๐ฟ๐ฎ๐ถ ๐ฐ๐ผ๐ฑ๐ฒ: GorillaBot heavily reuses core logic from Mirai while introducing its own improvements.
ยท ๐๐ฑ๐๐ฎ๐ป๐ฐ๐ฒ๐ฑ ๐๐ฎ ๐ฐ๐ผ๐บ๐บ๐๐ป๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป: Utilizes raw TCP sockets and a custom XTEA-like cipher for encrypting server addresses and communication.
ยท ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐บ๐ฒ๐ฐ๐ต๐ฎ๐ป๐ถ๐๐บ: Combines a decrypted hardcoded array and a server-provided magic value, then hashes it with SHA-256 for authentication.
ยท ๐๐๐ฎ๐๐ถ๐ผ๐ป ๐๐ฒ๐ฐ๐ต๐ป๐ถ๐พ๐๐ฒ๐: Performs environment checks to avoid honeypots and Kubernetes containers, exiting immediately if detected.
ยท ๐๐ป๐๐ถ-๐ฑ๐ฒ๐ฏ๐๐ด๐ด๐ถ๐ป๐ด ๐ฏ๐ฒ๐ต๐ฎ๐๐ถ๐ผ๐ฟ: Uses TracerPid checks and SIGTRAP handling to avoid analysis tools.
ยท ๐ข๐ฏ๐ณ๐๐๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐๐ฎ๐ฐ๐๐ถ๐ฐ๐: Encrypts internal configuration using a Caesar cipher and a custom block cipher.
To explore the full technical breakdown of GorillaBot, including behavior analysis, code insights, and relevant IOCs visit the ANY.RUN blog.
๐๐๐จ๐ฎ๐ญ ๐๐๐.๐๐๐
ANY.RUN is a cloud-based cybersecurity platform used by over 500,000 professionals worldwide. It offers an interactive malware sandbox along with powerful threat intelligence capabilities, enabling real-time behavioral analysis across Windows, Linux, and Android environments. From dynamic analysis to uncovering IOCs and tracking threat actors, ANY.RUN helps security teams investigate threats faster, collaborate more effectively, and stay ahead of emerging malware.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
Twitter
LinkedIn