Researchers have revealed the details of a new Golang-based botnet called Zergeca that can carry out DDoS attacks.
Researchers detected an array of ELF files uploaded from Russia to VirusTotal. A similar file was uploaded from Germany the same day. The experts discovered multiple uploads from different countries. The analysis revealed the file to be a Golang-based botnet. The botnet was named Zergeca due to its C2 string “ootheca,” reminiscent of the Zerg swarming in StarCraft.
The DDoS botnet Zergeca supports six attack methods and implements additional functionalities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. Unique features include multiple DNS resolution methods, prioritizing DNS over HTTPS for C2 resolution, and using the uncommon Smux library for C2 communication, encrypted via XOR
The analysis revealed that Zergeca’s C2 IP address, 84[.]54.51.82 has been associated with at least two Mirai botnets. The researchers speculate that the author of Zergeca likely gained experience from operating Mirai botnets.
The botnet launched DDoS attacks in Canada, the United States, and Germany. The main type of attack was ackFlood. The experts noticed that the victims were distributed across multiple countries and different ASNs.
The botnet’s functionality is implemented through four distinct modules, respectively named as persistence, proxy, silivaccine, and zombie.
The silivaccine module allows to bot to remove competing malware, while the module ‘zombie’ implements the full botnet functionality. The zombie module reports sensitive information from the compromised device to the C2 and awaits commands. It supports six types of DDoS attacks, scanning, reverse shell, and other functions.
The botnet maintains persistence on compromised devices by adding a system service geomi.service which allows the bot to automatically generate a new geomi process if the device restarts or the process is terminated.
Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics. Implementing the network protocol with Smux showcases their development skills. Given this combination of operational knowledge, evasion tactics, and development expertise, encountering more of their work in the future would be imminent.
This research was documented by researchers from QianxinLab and, for more information, access to the link
Indicators of Compromise
- 23ca4ab1518ff76f5037ea12f367a469
- 9d96646d4fa35b6f7c19a3b5d3846777
- d78d1c57fb6e818eb1b52417e262ce59
- 604397198f291fa5eb2c363f7c93c9bf
- f68139904e127b95249ffd40dfeedd21
- d7b5d45628aa22726fd09d452a9e5717
- 6ac8958d3f542274596bd5206ae8fa96
- ootheca.pw
- ootheca.top
- bot.hamsterrace.space
- 84.54.51.82
