New Botnet ‘Zergeca’ Threatens Cybersecurity Landscape with Advanced DDoS Capabilities
Cybersecurity experts have identified a new botnet named Zergeca, which exhibits significant potential to launch distributed denial-of-service (DDoS) attacks. Written in the Golang programming language, the botnet derives its name from a reference to the term "ootheca," which appears in associated command-and-control (C2) server domains, including "ootheca[.]pw" and "ootheca[.]top."
Unlike typical DDoS botnets, Zergeca stands out for its array of sophisticated features. The cybersecurity research team at QiAnXin XLab reported that Zergeca supports six distinct attack methodologies and includes functionalities such as proxying, scanning, self-upgrading, persistence, file transfer capabilities, reverse shell access, and the ability to gather sensitive device information. This complexity indicates that the creators have designed it not only for disruption but also for versatility in exploitative techniques.
Zergeca uniquely employs DNS-over-HTTPS (DoH) for DNS resolution, enhancing its operational stealth by concealing its C2 communications. Additionally, it utilizes a less commonly deployed library called Smux, facilitating more secure and efficient communication with its control infrastructure. This novel approach illustrates an evolving trend in cyber threats where traditional methods are being replaced by more obscure and secure techniques.
Evidence has emerged suggesting that the Zergeca botnet is under active development, with frequent updates that introduce new commands. Notably, the C2 IP address associated with Zergeca, 84.54.51[.]82, has a concerning history, having been previously linked to operations of the Mirai botnet in September 2023. This suggests that the threat actors behind Zergeca may have leveraged their experience from the Mirai botnet to develop and enhance their current operations.
Recent attacks attributed to Zergeca primarily consist of ACK flood DDoS assaults, which have targeted entities in Canada, Germany, and the United States from early to mid-June 2024. The botnet employs a modular architecture, with four key components—persistence, proxy, silivaccine, and zombie—that bolster its functionality. The persistence module allows the botnet to maintain its presence by adding system services, while the other modules facilitate various operational capabilities including device control and malware management.
The zombie module plays a crucial role in the botnet’s operations, facilitating the reporting of compromised device information back to the C2 and awaiting additional commands. Supporting six types of DDoS attacks, along with functions such as scanning and reverse shell capability, this module exemplifies the botnet’s comprehensive threat potential.
XLab has highlighted that the botnet displays a clear awareness of prevalent threats in Linux environments through its built-in competitor list. The use of techniques such as modified UPX packing, XOR encryption for conserving sensitive strings, and DoH for camouflaging C2 resolution indicates a sophisticated understanding of evasion tactics that attackers employ to bypass cybersecurity measures.
In summary, Zergeca represents an emerging threat in the cybersecurity realm with its advanced capabilities and historical connections to earlier botnets. Given the multifaceted approach to its design and its operational methods, business owners must remain vigilant against the evolving landscape of cyber threats. Utilizing frameworks like the MITRE ATT&CK Matrix can be vital for understanding the tactics and techniques employed in attacks, including tactics such as initial access and persistence, which are critical for defenders to recognize and address in their cybersecurity strategies.
