Zergeca | |
Type of Malware | Botnet |
Country of Origin | Unknown |
Targeted Countries | Canada |
Date of initial activity | 2024 |
Motivation | Financial Gain |
Attack Vectors | Phishing |
Targeted Systems | Linux |
Overview
The Zergeca Botnet, a sophisticated and multifaceted cyber threat, emerged onto the security landscape in May 2024. Its debut was marked by the detection of a suspicious ELF file identified as “geomi,” initially flagged for its unusual packing and multi-country uploads. This botnet, implemented in the Go programming language, quickly captured attention for its advanced capabilities beyond traditional Distributed Denial of Service (DDoS) attacks. Zergeca distinguishes itself with a comprehensive toolkit that includes proxying, scanning, self-upgrading, persistence mechanisms, and the ability to collect sensitive information from compromised devices.
One of the most concerning aspects of Zergeca is its use of encrypted communication channels and its ability to bypass conventional detection methods. The botnet employs the Smux library for C2 communication, which is encrypted using XOR techniques. This encryption method, coupled with DNS over HTTPS (DoH) for C2 resolution, complicates the identification and mitigation of Zergeca’s infrastructure. The botnet’s command and control (C2) servers, notably including the IP address 84.54.51.82, have been observed to have served various roles, including as a Mirai botnet C2, suggesting a sophisticated and evolving threat actor behind its development.
Targets
Individuals.
How they operate
At the core of Zergeca’s operation is its method of initial access. The botnet primarily exploits vulnerabilities in public-facing applications, a tactic that allows it to infiltrate systems before they can be fortified against such threats. By targeting known security flaws, Zergeca gains an initial foothold, setting the stage for deeper penetration. Once access is secured, the botnet employs a variety of execution techniques, including the use of command and scripting interpreters. This enables Zergeca to deploy its payloads and execute commands on compromised systems, often leveraging scripting languages that enhance its flexibility and control.
Persistence is another critical aspect of Zergeca’s functionality. To maintain its foothold, the botnet utilizes strategies such as creating or modifying system processes. This ensures that even if the system is rebooted or user sessions are closed, Zergeca remains active and capable of executing its commands. In parallel, Zergeca’s privilege escalation techniques come into play. By exploiting system vulnerabilities, the botnet can elevate its privileges, granting it greater control and access to sensitive areas of the system.
One of Zergeca’s most notable attributes is its defense evasion techniques. The botnet employs advanced obfuscation methods, such as packing and encrypting its files to evade detection by security software. It also manipulates file timestamps to avoid forensic scrutiny. These methods ensure that Zergeca can operate under the radar, making it challenging for security professionals to identify and neutralize the threat.
The botnet’s credential access capabilities further amplify its threat. Zergeca is equipped to extract and dump credentials from compromised systems, providing it with the means to expand its reach and exploit additional vulnerabilities. In addition, Zergeca conducts discovery operations by scanning network services to map out its environment and identify potential targets.
Command and Control is a cornerstone of Zergeca’s operations. The botnet uses encrypted communication channels to interact with its C2 servers. By employing methods such as XOR encryption and DNS over HTTPS (DoH), Zergeca ensures that its communications are secure and difficult to intercept. This encrypted channel is crucial for maintaining control over compromised devices and issuing commands without detection.
Finally, Zergeca demonstrates its impact through its DDoS capabilities, a feature that allows it to disrupt services and impact system availability. By overwhelming targeted systems with traffic, Zergeca can cause significant operational disruptions, underscoring the botnet’s potential for harm.
MITRE Tactics and Techniques
Initial Access:
Exploit Public-Facing Application (T1190): Zergeca can exploit vulnerabilities in public-facing applications to gain initial access to systems.
Execution:
Command and Scripting Interpreter (T1059): Zergeca utilizes scripting languages or command interpreters for execution, as evidenced by its use of ELF files and scripting within the botnet’s operations.
Persistence:
Create or Modify System Process (T1543): The botnet may employ techniques to create or modify system processes to ensure persistence across reboots or user sessions.
Privilege Escalation:
Exploitation for Privilege Escalation (T1068): Zergeca might exploit vulnerabilities to elevate privileges on compromised systems.
Defense Evasion:
Obfuscated Files or Information (T1027): The malware uses packing and encryption techniques to obfuscate its presence and evade detection.
Timestomp (T1099): The botnet may manipulate timestamps to avoid forensic detection and analysis.
Credential Access:
Credential Dumping (T1003): Zergeca could be involved in collecting credentials from compromised systems to facilitate further attacks or lateral movement.
Discovery:
Network Service Scanning (T1046): The botnet includes scanning capabilities to identify and enumerate network services on targeted systems.
Command and Control:
Encrypted Channel (T1071.001): Zergeca uses encrypted communication channels, such as XOR encryption and DNS over HTTPS (DoH), to communicate with its command and control (C2) servers.
Impact:
Service Stop (T1489): The botnet’s DDoS capabilities can impact systems by disrupting services, causing downtime, and affecting availability.
