executive summary

In February 2024, multiple U.S. and international government agencies released an advisory on Volt Typhoon botnet attacks. Previously, Avertium's Cyber Threat Intelligence team reported on Volt Typhoon's creation of a botnet using hundreds of SOHO routers across the U.S., using a "living off the land" technique to blend with normal device activity.

The fallout from Volt Typhoon’s botnet impacted several U.S government entities, as well as communication organizations. Botnet attacks can be devastating, impacting even major companies. This week, we will examine two newer botnets, CatDDoS and Zergeca, and discuss how organizations can protect themselves from such threats.

 

tir snapshot

  • This year, QiAnXin XLab's Cyber Threat Insight Analysis (CTIA) System detected that CatDDoS-related groups are highly active, exploiting dozens of vulnerabilities - some 5 years old.
  • CatDDoS-related groups target a global audience, with a primary focus on the U.S., France, Germany, Brazil, and China. These targets span various industries, including cloud services, education, scientific research, information transmission, public administration, and construction.
  • The CatDDoS family builds upon the Mirai source code by incorporating the ChaCha20 algorithm to encrypt and store key information.
  • Researchers hypothesized that CatDDoS ceased operations in December last year, supported by deleted Aterna botnet channel messages and a posted shutdown notification, but the sale or leak of its source code has since led to the emergence of new variants like RebirthLTD, Komaru, and Cecilio Network.
  • The CatDDoS variant includes various built-in DDoS attack methods. In actual attacks, ack_flood and grip_flood are predominately used, accounting for 63% and 29% of attacks, respectively.
  • Despite the possibility that different groups manage the various variants, the code, communication design, strings, and decryption methods show little variation.
  • In July 2024, the researchers discovered a new Golang-based botnet named Zergeca, capable of executing powerful distributed denial-of-service (DDoS) attacks.
  •  This botnet supports six unique attack methods and includes functionalities such as scanning, proxying, persistence, self-upgrades, reverse shell, file transfer, and collecting sensitive device information.
  • In June 2024, Zergeca launched DDoS attacks on organizations in the U.S., Canada, and Germany. Its primary attack type, ACK flood (atk_4), has targeted victims globally.
  • Zergeca uses DNS-over-HTTPS (DoH) for command and control (C2) resolution and uses the uncommon Smux library for C2 communication, aiding in evading detection.
  • Botnets like Zergeca and CatDDoS display advanced capabilities, from executing powerful DDoS attacks and evading detection through eviction and evasion tactics, to actively targeting global networks across diverse industries.
  • Detecting and mitigating botnet activities requires proactive monitoring, robust cybersecurity measures, and timely patching of vulnerabilities.

 

 

catddos

This year, QiAnXin XLab's Cyber Threat Insight Analysis (CTIA) System tracked and monitored active mainstream DDoS botnets. Recently, their system detected that CatDDoS-related groups are highly active, exploiting over 80 vulnerabilities at the time of their report. Also, during that time, the number of daily targets for the botnet exceeded 300. Below are just some of the vulnerabilities CatDDoS-related groups are known to exploit:

  • CVE-2024-25852
  • CVE-2022-31446
  • LILIN_DVR_RCE
  • CVE-2017-18368
  • CVE-2021-44228
  • AMTK_Camera_cmd_RCE
  • CVE-2016-10372
  • TVT_OEM_API_RCE
  • CVE-2017-17215
  • CVE-207-5259
  • Telnet_Weak_Password

The vulnerabilities affect devices from various vendors, including routers and networking gear from Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, Zyxel, and others.

Initially emerging in 2023, CatDDoS-related groups target a global audience, with a primary focus on the U.S, France, Germany, Brazil, and China. These targets span various industries, including cloud services, education, scientific research, information transmission, public administration, and construction.

CatDDoS, a variant of Mirai, is named for the use of "cat" and "meow" in early domain names and samples, indicating the author's fondness for cats. By monitoring Telegram channels, QiAnXin XLab hypothesized that CatDDoS might have ceased operations in December of last year. The Aterna botnet's channel message history has been deleted, and a shutdown notification was posted by the author in the group. However, the sale or leak of the source code led to new variants like RebirthLTD, Komaru, and Cecilio Network emerging after the shutdown – which means that CatDDos has not truly stopped their operations.

 

TACTICS + TECHNIQUES

The CatDDoS family builds upon the Mirai source code by incorporating the ChaCha20 algorithm to encrypt and store key information. The key and nonce used in the latest version are shown below:

 

Image 1: Nonce of ChaCha20 Algorithm

Nonce of ChaCha20 Algorithm

Source: NsfocusGlobal

 

This variant modifies the original Mirai's go-live process, sending go-live data to the server in multiple rounds. The data packets, which contain both plaintext and ChaCha20-encrypted ciphertext, are sent to the server. After an initial sequence is transmitted, subsequent bytes and actual content are sent alternately, generating distinctive traffic patterns.

The CatDDoS variant includes various built-in DDoS attack methods. In actual attacks, ack_flood and grip_flood are predominantly used, accounting for 63% and 29% of attacks, respectively.

While the CatDDoS controller does not create a completely new botnet Trojan from scratch, the concealment of the Trojan is prioritized. In addition to introducing the ChaCha20 algorithm, operators also used OpenNIC domain names, similar to the Fodcha family.

Despite the possibility that different groups manage the various variants, the code, communication design, strings, and decryption methods show little variation. Two recently active variants are v-2.0.4 (CatDDoS) and v-Rebirth (RebirthLTD), both of which use ChaCha20 for data encryption with identical keys and nonces. The main difference is that v-2.0.4 uses OpenNIC domain names for its command and control (C2) servers. RebirthLTD initially developed using the original Mirai code but later switched to the CatDDoS code and has been updated frequently.

Another variant, v-snow_slide, was active for a period but has since gone silent. It has not been publicly disclosed. The variant v-ihateyou is speculated to be related to CatDDoS based on certain characteristics, but its communication mechanism and string decryption align more closely with Mirai. This variant was short-lived and did not gain significant traction.

 

 

zergeca

Once again, the researchers at QiAnXin Lab are at the helm of discovery. In July 2024, the researchers discovered a new Golang-based botnet named Zergeca, capable of executing powerful distributed denial-of-service (DDoS) attacks. This botnet supports six unique attack methods and includes functionalities such as scanning, proxying, persistence, self-upgrades, reverse shell, file transfer, and collecting sensitive device information.

In June 2024, Zergeca launched DDoS attacks on organizations in the U.S, Canada, and Germany. Its primary attack type, ACK flood (atk_4), has targeted victims globally. Zergeca’s functionality is divided into four modules: persistence, proxy, silivaccine, and zombie. The silivaccine module removes competing malware, while the zombie module reports sensitive information to the C2 server and awaits commands.

 

TACTICS + TECHNIQUES

Zergeca uses DNS-over-HTTPS (DoH) for command and control (C2) resolution and uses the uncommon Smux library for C2 communication, aiding in evading detection. The C2 IP address, previously associated with the Mirai botnet in September 2023, began serving Zergeca in April 2025, suggesting the operators have experience with Mirai.

In July 2024, QiAnXin Lab released findings from their analysis of Zergeca. The researchers analyzed five Zergeca samples and found that, despite their similar functions, there were significant differences in their detection rates by antivirus software.

Most antivirus vendors identified the sample 23ca4ab1518ff76f5037ea12f367a469 as Generic Malware. The researchers hypothesize that antivirus software relies on file hash for detection. Thus, any change in the hash reduces detection effectiveness. To test this, they appended the 4-byte string "Xlab" to the end of the file and re-uploaded it to VirusTotal. The detection rate dropped to 9 out of 67, supporting their hypothesis.

Technical sophistication is evident in Zergeca’s use of modified UPX packing, XOR encryption for sensitive strings, and DoH for C2 resolution. These tactics demonstrate a strong understanding of evasion techniques. Zergeca continues to be actively developed and updated to support new commands, making it a versatile and dangerous tool for cybercriminals.

The primary methods used by the botnet to distribute samples are exploiting Telnet weak passwords and specific known vulnerabilities. The relevant vulnerabilities include:

  • CVE-2022-35733
  • CVE-2018-10562
  • CVE-2018-10561
  • CVE-2017-17215
  • CVE-2016-20016

To gain exclusive control over a device, Zergeca maintains a list of competitor threats, including miners, backdoor trojans, and other botnets. Notable names on this list include Mozi, Kinsing, and various mining pools. Zergeca actively monitors the system, terminating any process whose name or runtime parameters match those on the list and deleting the associated binary files.

 

 

am i vulnerable?

Effective defense strategies against botnets are important for protecting organizational networks and data integrity. Organizations can be vulnerable to botnets like Zergeca and CatDDoS due to several factors:

  • Outdated Software: Failure to regularly update software and systems leaves vulnerabilities unpatched, which botnets can exploit.
  • Weak Authentication: Inadequate password policies and lack of multi-factor authentication (MFA) make it easier for botnets to compromise user credentials.
  • Lack of Network Segmentation: Networks that are not properly segmented allow botnets to spread quickly and infect multiple systems once they gain access.
  • Insufficient Monitoring: Inability to detect abnormal network behavior or identify botnet activity promptly allows threats to persist undetected.
  • Employee Awareness: Lack of cybersecurity awareness among employees may lead to accidental actions that allow for botnet infiltration, such as clicking on phishing links or downloading malicious files.

 

 

CONCLUSION

Botnets like Zergeca and CatDDoS display advanced capabilities, from executing powerful DDoS attacks and evading detection through sophisticated encryption and evasion tactics, to actively targeting global networks across diverse industries.

Zergeca, for instance, demonstrates its adaptability with features like DNS-over-HTTPS for C2 communication and a robust toolkit that includes scanning, proxying, and collecting sensitive information.

For cybersecurity professionals and organizations, vigilance against botnet threats is necessary. Botnets not only disrupt services and compromise sensitive data but also operate undercover, often leveraging known vulnerabilities and weak security practices to infiltrate systems.

Detecting and mitigating botnet activities requires proactive monitoring, robust cybersecurity measures, and timely patching of vulnerabilities. Heightened awareness and continuous threat intelligence gathering is vital if organizations are going to combat the evolving tactics of botnet operators.

 

 

AVERTIUM'S RECOMMENDATIONS

  • Regular Patching and Updates: Ensure all software, firmware, and systems are regularly updated to mitigate known vulnerabilities exploited by botnets.
  • Strong Authentication and Access Control: Implement multi-factor authentication (MFA) and robust access control policies to prevent unauthorized access, reducing the risk of botnet infiltration via weak credentials.
  • Network Segmentation: Segment networks to limit the spread of infections and isolate critical systems from less secure areas, reducing the impact of botnet propagation.
  • Monitoring and Anomaly Detection: Implement continuous monitoring and anomaly detection tools to quickly identify unusual network behavior or traffic patterns that may indicate botnet activity.
  • Educational Awareness Programs: Train employees on cybersecurity best practices, phishing prevention, and the importance of vigilance against suspicious activities that may indicate botnet infiltration.
  • Firewall and Intrusion Prevention Systems: Deploy and configure firewalls and intrusion prevention systems (IPS) to monitor and block malicious traffic, including botnet command and control communications.
  • Endpoint Security Solutions: Utilize endpoint protection platforms (EPP) and endpoint detection and response (EDR) tools to detect and mitigate botnet activities on devices connected to the network.
  • Incident Response Plan: Develop and regularly update an incident response plan that outlines procedures for identifying, containing, eradicating, and recovering from botnet attacks, ensuring a quick and coordinated response to minimize damage.

 

 

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe:

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
  • Avertium uses KnowBe4 as a professional service for user awareness training. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

 

 

INDICATORS OF COMPROMISE (IOCs)

Zergeca

MD5

  • 23ca4ab1518ff76f5037ea12f367a469
  • 596a96cc7bf9108cd896f33c44aedc8a
  • 604397198f291fa5eb2c363f7c93c9bf
  • 60f23acebf0ddb51a3176d0750055cf8
  • 6ac8958d3f542274596bd5206ae8fa96
  • 980cad4be8bf20fea5c34c5195013200
  • 9d96646d4fa35b6f7c19a3b5d3846777
  • b19642a3c672d4f20cbdb5b1569bf98f
  • d78d1c57fb6e818eb1b52417e262ce59
  • d7b5d45628aa22726fd09d452a9e5717
  • f68139904e127b95249ffd40dfeedd21

SHA1

  • 04e8b08cda521a6f939f46856449ea53f846083a
  • 1001b06820145ac69f3d440f1cc25990eb14cc71
  • 34e38f2ceeed80c34f3aa8bd663654f50e6fa2b1
  • 4a6cb6640b7a43ccfc6ee9921f0e88ba84da8a0b
  • d419c3ba75ec203cd002734114cc04d3dc735cfb
  • d729aa662ea7d652908326dc5d91b97d836ba936

SHA256

  • 0dbbe5616de71c5753768de555203fb9eb2f1e72a8cb5bdce0559bc5cdfa3b2e
  • 2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b
  • 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29
  • 7db9189afd00c2b60b7f892ef1b86d040fb1cf02145c7d2e414ef77ba3335c11
  • 7e62e3e8911c0cb19df3477df0603fddeff82223e1cc6da7fb1698f512ff2cd2
  • b55b1947a11de7ee2cb3aaede12ce15c85abf2b607d1ebd8f5ed56e3a6ef7c43
  • cea6e4aa15d7c6a2b2c794a660afaf96d43462e0b74436600a2c8a2288ad0c27

IPs

  • 145[.]239[.]108[.]150
  • 31[.]6[.]16[.]33
  • 84[.]54[.]51[.]82

Domains

  • multi-user[.]target
  • network[.]target

CatDDoS

IPs

  • 212[.]70[.]149[.]10
  • 212[.]70[.]149[.]14
  • 87[.]246[.]7[.]194
  • 87[.]246[.]7[.]198
  • 87[.]246[.]7[.]66
  • 89[.]32[.]41[.]31
  • 103[.]161[.]35[.]44
  • 31[.]220[.]1[.]44
  • 194[.]169[.]175[.]20
  • 194[.]169[.]175[.]31
  • 194[.]169[.]175[.]39
  • 194[.]169[.]175[.]40
  • 194[.]169[.]175[.]43

Domains

  • Catddos[.]pirate
  • jm1hj56glo[.]pirate
  • siegheil[.]hiter[.]su
  • Omgnoway[.]geek
  • phhfr59rqd[.]parody
  • 9wg0dstmud[.]pirate
  • hsjupldf2z[.]pirate
  • 9fz0cqekwr[.]parody
  • 4m8mdkx76o[.]indy
  • fd9vsneghh[.]libre

Please note, this list is just a sample of the IoCs for CatDDos. See Qianxin Lab’s analysis for a complete list of IoCs.

 

 

 

Supporting Documentation

New Threat: A Deep Dive Into the Zergeca Botnet (qianxin.com)

New Zergeca Botnet: A Powerful New Threat that Employs Advanced Evasion Tactics and DDoS Attacks | Black Hat Ethical Hacking

Zergeca: A new Golang botnet with advanced capabilities (broadcom.com)

New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks (thehackernews.com)

New Threat: A Deep Dive Into the Zergeca Botnet (qianxin.com)

Zergeca Botnet Poses DDoS Threat - Spiceworks

New Threat: A Deep Dive Into the Zergeca Botnet - LevelBlue - Open Threat Exchange (alienvault.com)

Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique (thehackernews.com)

CatDDoS-Related Gangs Have Seen a Recent Surge in Activity (qianxin.com)

Botnet Attack Targeted Routers: A Wake-Up Call for Securing Remote Employees' Hardware (techrepublic.com)

Mirai Botnet's New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. (nsfocusglobal.com)

CatDDoS botnet attacks surge, DNSBomb DDoS attack technique emerges | SC Media (scmagazine.com)

CatDDOS Threat Groups Sharply Ramp Up DDoS Attacks (darkreading.com)

New Golang Zergeca Botnet appeared in the threat landscape (securityaffairs.com)

An In-Depth Look at Mirai & HinataBot (avertium.com)

 

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

Looking for your next read? 
Check out the blog, "The Move from Reactive GRC to Proactive GRCaaS"

 
Chat With One of Our Experts




Threat Report Golang Worm Botnet Golang Malware Volt Typhoon CatDDoS Botnet Zergeca Botnet Blog