Cybersecurity Experts Warns Of New Zergeca Botnet

The Zergeca botnet originated on May 20, 2024, when XLab's CTIA system flagged a suspicious ELF file named "geomi" from Russia.

by Ashish Khaitan July 5, 2024

Share on LinkedInShare on Twitter

A new DDoS botnet has emerged on the internet: the Zergeca botnet. This sophisticated threat, written in Golang, has garnered attention for its capabilities in orchestrating distributed denial-of-service (DDoS) attacks.

Named after the term “ootheca” found in its command-and-control (C2) infrastructure (specifically “ootheca[.]pw” and “ootheca[.]top”), Zergeca represents more than just a typical DDoS botnet. According to a recent report from QiAnXin XLab, the Zergeca botnet boasts a wide array of functionalities beyond DDoS attacks, including proxying, scanning, self-upgrading, file transfer, reverse shell, and even the collection of sensitive device information.

Decoding the Rise of Zergeca Botnet and its Features

The genesis of the Zergeca botnet dates back to May 20, 2024, when XLab’s CTIA system first detected a suspicious ELF file named “geomi” originating from Russia. This file, initially overlooked by antivirus engines on VirusTotal, was later found to be part of the newly identified botnet. Subsequent uploads of similar files from different countries, including Germany, highlighted the botnet’s rapid spread and evolution.

One of the distinguishing features of Zergeca is its use of the Golang programming language, known for its cross-platform capabilities and efficiency in handling complex network operations. This choice, coupled with its incorporation of advanced evasion techniques like DNS over HTTPS (DoH) for C2 resolution and the Smux library for encrypted communication, highlights the sophistication of its design.

Zergeca Botnet Shares IP with Mirai Botnets

QiAnXin XLab’s investigation revealed that Zergeca’s C2 infrastructure shares IP addresses previously associated with Mirai botnets, suggesting a lineage of evolving expertise in botnet operations. Furthermore, the botnet’s development is ongoing, with frequent updates and enhancements observed in recent samples captured by XLab’s monitoring systems.

From a cybersecurity standpoint, detecting and mitigating Zergeca poses significant challenges. Its samples exhibit varying detection rates across antivirus platforms, largely due to frequent hash changes that evade traditional signature-based detection methods. This dynamic nature, combined with its ability to leverage multiple DNS resolution methods and encryption protocols, makes Zergeca a formidable adversary in the hands of cybercriminals.

The botnet’s operational reach has already been felt across multiple regions, including Canada, the United States, and Germany, where it has primarily targeted DDoS attacks using vectors like ackFlood and synFlood. These attacks highlight Zergeca’s potential to disrupt critical online services and infrastructure, posing serious implications for cybersecurity worldwide.

As cybersecurity researchers continue to unravel the complexities of Zergeca, collaborations and information sharing among industry peers remain crucial. Organizations like QiAnXin XLab are at the forefront, providing essential intelligence to safeguard against emerging cyber threats. Vigilance and proactive defense measures are crucial to mitigate the impact of such sophisticated botnets in the cybersecurity domain.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button