A new DDoS botnet known as the Zergeca botnet has recently emerged, sparking concerns within the cybersecurity community due to its advanced capabilities. This botnet, developed using the Golang programming language, has garnered attention for its ability to orchestrate distributed denial-of-service attacks, among other functionalities.
Named after the term “ootheca” found in its command-and-control infrastructure, specifically “ootheca[.]pw” and “ootheca[.]top,” the Zergeca botnet boasts a range of features beyond typical DDoS attacks. According to a report from QiAnXin XLab, the botnet is capable of proxying, scanning, self-upgrading, file transfer, reverse shell, and collecting sensitive device information.
The genesis of the Zergeca botnet can be traced back to May 20, 2024, when XLab’s CTIA system first detected a suspicious ELF file named “geomi” originating from Russia. Despite being initially overlooked by antivirus engines on VirusTotal, further analysis revealed its association with the newly identified botnet. Subsequent uploads of similar files from different countries, including Germany, indicated the rapid spread and evolution of the botnet.
One of the notable features of the Zergeca botnet is its use of the Golang programming language, known for its efficiency in handling complex network operations. Coupled with advanced evasion techniques such as DNS over HTTPS for C2 resolution and encrypted communication using the Smux library, the botnet showcases a high level of sophistication in its design.
A key discovery made during QiAnXin XLab’s investigation was the sharing of IP addresses between Zergeca’s C2 infrastructure and Mirai botnets, suggesting a lineage of evolving expertise in botnet operations. Furthermore, the botnet’s ongoing development is evident through frequent updates and enhancements observed in recent samples captured by monitoring systems.
Detecting and mitigating the Zergeca botnet presents significant challenges from a cybersecurity perspective. The botnet’s samples exhibit varying detection rates across antivirus platforms due to frequent hash changes that evade traditional signature-based detection methods. Additionally, its ability to utilize multiple DNS resolution methods and encryption protocols makes it a formidable threat in the hands of cybercriminals.
The operational impact of the Zergeca botnet has already been felt in various regions, including Canada, the United States, and Germany, where it has primarily targeted DDoS attacks using vectors like ackFlood and synFlood. These attacks underscore the botnet’s potential to disrupt critical online services and infrastructure, posing serious implications for cybersecurity on a global scale.
As cybersecurity researchers continue to delve into the intricacies of the Zergeca botnet, collaboration and information sharing among industry peers remain essential. Organizations like QiAnXin XLab play a crucial role in providing intelligence to defend against emerging cyber threats. Vigilance and proactive defense measures are key to mitigating the impact of sophisticated botnets like Zergeca in the cybersecurity landscape.