A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart from typical Distributed Denial of Service (DDoS) botnets.
Discovered by the XLab Cyber Threat Insight Analysis (CTIA) system on May 20, 2024, Zergeca has already demonstrated its potential to cause significant disruption.
This article delves into the intricate details of Zergeca, its functionalities, and its implications for cybersecurity.
Discovery and Initial Analysis
On May 20, 2024, while many were celebrating a holiday, the XLab CTIA system captured a suspicious ELF file located at /usr/bin/geomi.
This file, packed with a modified UPX and uploaded from Russia to VirusTotal, initially evaded detection by antivirus engines.
Later that evening, another Geomi file with the same UPX magic number was uploaded from Germany.
The multi-country uploads and the modified UPX packer raised red flags, prompting further investigation.
Zergeca’s Capabilities
Upon analysis, it was confirmed that Zergeca is a botnet implemented in Golang.
The botnet’s name, Zergeca, is inspired by the swarming Zerg in StarCraft, reflecting its aggressive and expansive nature.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Zergeca is not just a typical DDoS botnet; it supports six different attack methods and boasts additional capabilities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information.
Unique Network Communication Features
From a network communication perspective, Zergeca exhibits several unique features:
- Multiple DNS Resolution Methods: Prioritizes DNS over HTTPS (DOH) for Command and Control (C2) resolution.
- Smux Library: Utilizes the uncommon Smux library for C2 communication protocol, encrypted via XOR.
During the investigation, it was discovered that Zergeca’s C2 IP address, 84.54.51.82, had been serving at least two Mirai botnets since September 2023.
This suggests that the author behind Zergeca accumulated experience operating Mirai botnets before creating Zergeca.
The primary methods used by 84.54.51.82 to propagate samples include exploiting Telnet weak passwords and specific known vulnerabilities such as CVE-2022-35733 and CVE-2018-10562.
DDoS Statistics and Targets
From early to mid-June 2024, Zergeca primarily targeted regions such as Canada, the United States, and Germany.
The main type of attack was ackFlood (atk_4), with victims distributed across multiple countries and different Autonomous System Numbers (ASNs).
The reverse analysis of Zergeca revealed that the botnet is designed for the x86-64 CPU architecture and targets the Linux platform.
The presence of strings like “android,” “darwin,” and “windows” in the samples, along with Golang’s inherent cross-platform capabilities, suggests that the author may eventually aim for full platform support.
Zergeca achieves persistence on compromised devices by adding a system service named geomi.service.
This service ensures that the Zergeca sample automatically generates a new geomi process if the device restarts or the process is terminated.
String Decryption and Communication Protocol
Zergeca uses XOR encryption for many sensitive strings.
The XOR key is initially set to EC 22 2B A9 F3 DD, but only the first six bytes are used.
The decryption process can be automated by identifying specific patterns in the decryption-related code blocks, restoring all encrypted strings efficiently.
Zergeca uses Smux for Bot-C2 communication. Smux (Simple MUltipleXing) is a Golang multiplexing library that relies on underlying connections like TCP or KCP for reliability and ordering, providing stream-oriented multiplexing.
Silivaccine Module
To monopolize the device, Zergeca includes a list of competitor threats, covering miners, backdoor trojans, botnets, and more.
Zergeca continuously monitors the system and terminates any process whose name or runtime parameters match those on the list, deleting the corresponding binary files.
| OZI.A | COM.UFO.MINER | KINSING | KTHREADDI |
| kaiten | srv00 | meminitsrv | .javae |
| solr.sh | monerohash | minexmr | c3pool |
| crypto-pool.fr | f2pool.com | xmrpool.eu | ……… |
Zombie Module
Zergeca resolves the C2 IP address using the geomi_common_utils_Resolve function, which supports four resolvers: Public DNS, Local DNS, DoH, and OpenNIC.
After obtaining the C2 IP, the bot reports sensitive device information to the C2 and awaits commands, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.
The discovery of Zergeca highlights botnets’ continuous evolution and increasing sophistication.
With its advanced scanning, persistence features, and multi-functional capabilities, Zergeca poses a significant cybersecurity threat.
Cybersecurity professionals must stay vigilant and proactive in identifying and mitigating such threats as the botnet continues to develop.
IOC
Sample
23ca4ab1518ff76f5037ea12f367a469
9d96646d4fa35b6f7c19a3b5d3846777
d78d1c57fb6e818eb1b52417e262ce59
604397198f291fa5eb2c363f7c93c9bf
f68139904e127b95249ffd40dfeedd21
d7b5d45628aa22726fd09d452a9e5717
6ac8958d3f542274596bd5206ae8fa96
pathced with "xlab" at the end of file
980cad4be8bf20fea5c34c5195013200
sample captured on 2024.06.19, support ddos vector 7
60f23acebf0ddb51a3176d0750055cf8
Domain
ootheca.pw
ootheca.top
bot.hamsterrace.space
IP
84.54.51.82 The Netherlands|None|None AS202685|Aggros Operations Ltd.Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free