.webp "Warning: Zergeca Botnet with Scanning & Persistence Features")
A new botnet known as Zergeca has recently surfaced, demonstrating advanced capabilities that distinguish it from the typical Distributed Denial of Service (DDoS) botnets. Discovered by the XLab Cyber Threat Insight Analysis (CTIA) system on May 20, 2024, Zergeca has already exhibited the potential to cause significant disruptions in the cybersecurity landscape.
The inception of Zergeca was identified when the XLab CTIA system detected a suspicious ELF file located at /usr/bin/geomi on May 20, 2024. This file, disguised with a modified UPX and originating from Russia, initially managed to evade detection by conventional antivirus engines. Subsequently, another Geomi file with a similar UPX magic number was uploaded from Germany later that day. These cross-country uploads and the presence of a modified UPX packer raised suspicions, leading to further scrutiny.
Upon closer analysis, it was confirmed that Zergeca is a botnet developed in Golang. The botnet’s name, Zergeca, draws inspiration from the swarming Zerg in StarCraft, indicating its aggressive and expansive nature. Zergeca sets itself apart from traditional DDoS botnets by supporting six distinct attack methods and boasting additional functionalities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and the collection of sensitive device information.
From a network communication standpoint, Zergeca showcases unique features, including multiple DNS resolution methods that prioritize DNS over HTTPS (DOH) for Command and Control (C2) resolution. Additionally, the botnet utilizes the uncommon Smux library for its C2 communication protocol, employing XOR encryption for added security.
Further investigation into Zergeca uncovered that its C2 IP address, 84.54.51.82, had been associated with at least two Mirai botnets since September 2023. This suggests that the creator of Zergeca likely possessed experience in operating Mirai botnets before developing Zergeca. The primary methods used by the C2 IP address to propagate samples include exploiting Telnet weak passwords and specific known vulnerabilities like CVE-2022-35733 and CVE-2018-10562.
Throughout early to mid-June 2024, Zergeca predominantly targeted regions such as Canada, the United States, and Germany, with ackFlood (atk_4) being the main type of attack employed. Victims of these attacks were spread across different countries and Autonomous System Numbers (ASNs). The reverse analysis of Zergeca revealed that the botnet is tailored for the x86-64 CPU architecture and specifically targets the Linux platform. The presence of strings related to “android,” “darwin,” and “windows” in the samples indicates the potential for future platform support.
In terms of communication protocol, Zergeca implements XOR encryption for sensitive strings, with the decryption process being automated based on pattern identification within the decryption-related code blocks. The botnet employs Smux for Bot-C2 communication, a Golang multiplexing library that offers stream-oriented multiplexing through underlying connections like TCP or KCP.
To ensure device monopolization, Zergeca includes a “Silivaccine Module” that monitors the system for competitor threats such as miners, backdoor trojans, and botnets, terminating any processes or deleting binary files that align with the specified threat list. Additionally, the botnet incorporates a “Zombie Module” that resolves the C2 IP address using various resolvers and reports sensitive device information to the C2, supporting a range of functions including DDoS attacks, scanning, reverse shell, and more.
The discovery of Zergeca underscores the continual evolution and increasing sophistication of botnets in the cybersecurity landscape. With its advanced functionalities and multi-faceted capabilities, Zergeca presents a significant cybersecurity threat that necessitates proactive vigilance from cybersecurity professionals to identify and mitigate such risks as the botnet evolves further.
A thorough understanding of the IOCs (Indicators of Compromise) associated with Zergeca, including sample hashes, domains, and IP addresses, is crucial for enhancing cybersecurity defenses and safeguarding against potential botnet attacks. The ever-evolving nature of botnets like Zergeca reinforces the importance of ongoing security measures and preemptive strategies in combating cyber threats in an increasingly complex digital landscape.