Sunday, July 21, 2024
EHA

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart from typical Distributed Denial of Service (DDoS) botnets.

Discovered by the XLab Cyber Threat Insight Analysis (CTIA) system on May 20, 2024, Zergeca has already demonstrated its potential to cause significant disruption.

This article delves into the intricate details of Zergeca, its functionalities, and its implications for cybersecurity.

Discovery and Initial Analysis

On May 20, 2024, while many were celebrating a holiday, the XLab CTIA system captured a suspicious ELF file located at /usr/bin/geomi.

This file, packed with a modified UPX and uploaded from Russia to VirusTotal, initially evaded detection by antivirus engines.

Later that evening, another Geomi file with the same UPX magic number was uploaded from Germany.

The multi-country uploads and the modified UPX packer raised red flags, prompting further investigation.

Zergeca’s Capabilities

Upon analysis, it was confirmed that Zergeca is a botnet implemented in Golang.

The botnet’s name, Zergeca, is inspired by the swarming Zerg in StarCraft, reflecting its aggressive and expansive nature.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Zergeca is not just a typical DDoS botnet; it supports six different attack methods and boasts additional capabilities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information.

Unique Network Communication Features

From a network communication perspective, Zergeca exhibits several unique features:

  • Multiple DNS Resolution Methods: Prioritizes DNS over HTTPS (DOH) for Command and Control (C2) resolution.
  • Smux Library: Utilizes the uncommon Smux library for C2 communication protocol, encrypted via XOR.

During the investigation, it was discovered that Zergeca’s C2 IP address, 84.54.51.82, had been serving at least two Mirai botnets since September 2023.

This suggests that the author behind Zergeca accumulated experience operating Mirai botnets before creating Zergeca.

The primary methods used by 84.54.51.82 to propagate samples include exploiting Telnet weak passwords and specific known vulnerabilities such as CVE-2022-35733 and CVE-2018-10562.

DDoS Statistics and Targets

From early to mid-June 2024, Zergeca primarily targeted regions such as Canada, the United States, and Germany.

The main type of attack was ackFlood (atk_4), with victims distributed across multiple countries and different Autonomous System Numbers (ASNs).

Zergeca botnet primarily targeted regions such as Canada, the United States, and Germany
Zergeca botnet primarily targeted regions such as Canada, the United States, and Germany

The reverse analysis of Zergeca revealed that the botnet is designed for the x86-64 CPU architecture and targets the Linux platform.

The presence of strings like “android,” “darwin,” and “windows” in the samples, along with Golang’s inherent cross-platform capabilities, suggests that the author may eventually aim for full platform support.

Zergeca achieves persistence on compromised devices by adding a system service named geomi.service.

This service ensures that the Zergeca sample automatically generates a new geomi process if the device restarts or the process is terminated.

String Decryption and Communication Protocol

Zergeca uses XOR encryption for many sensitive strings.

The XOR key is initially set to EC 22 2B A9 F3 DD, but only the first six bytes are used.

The decryption process can be automated by identifying specific patterns in the decryption-related code blocks, restoring all encrypted strings efficiently.

Zergeca uses Smux for Bot-C2 communication. Smux (Simple MUltipleXing) is a Golang multiplexing library that relies on underlying connections like TCP or KCP for reliability and ordering, providing stream-oriented multiplexing.

Silivaccine Module

To monopolize the device, Zergeca includes a list of competitor threats, covering miners, backdoor trojans, botnets, and more.

Zergeca continuously monitors the system and terminates any process whose name or runtime parameters match those on the list, deleting the corresponding binary files.

OZI.ACOM.UFO.MINERKINSINGKTHREADDI
kaitensrv00meminitsrv.javae
solr.shmonerohashminexmrc3pool
crypto-pool.frf2pool.comxmrpool.eu………

Zombie Module

Zergeca resolves the C2 IP address using the geomi_common_utils_Resolve function, which supports four resolvers: Public DNS, Local DNS, DoH, and OpenNIC.

 After obtaining the C2 IP, the bot reports sensitive device information to the C2 and awaits commands, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.

The discovery of Zergeca highlights botnets’ continuous evolution and increasing sophistication.

With its advanced scanning, persistence features, and multi-functional capabilities, Zergeca poses a significant cybersecurity threat.

Cybersecurity professionals must stay vigilant and proactive in identifying and mitigating such threats as the botnet continues to develop.

IOC

Sample

23ca4ab1518ff76f5037ea12f367a469
9d96646d4fa35b6f7c19a3b5d3846777
d78d1c57fb6e818eb1b52417e262ce59
604397198f291fa5eb2c363f7c93c9bf

f68139904e127b95249ffd40dfeedd21
d7b5d45628aa22726fd09d452a9e5717
6ac8958d3f542274596bd5206ae8fa96

pathced with "xlab" at the end of file
980cad4be8bf20fea5c34c5195013200

sample captured on 2024.06.19, support ddos vector 7
60f23acebf0ddb51a3176d0750055cf8

Domain


ootheca.pw
ootheca.top
bot.hamsterrace.space

IP

84.54.51.82    The Netherlands|None|None        AS202685|Aggros Operations Ltd.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles