Researchers from Netlab, the networking security division of Chinese security firm Qihoo 360, discovered a new malware campaign that is targeting Android devices in order to ensnare them in a DDoS botnet.
The new botnet reuses the Mirai framework and hunts for Android devices that have Android Debug Bridge (ADB) interface enabled and exposed on the internet. The ADB interface, active on port 5555, has been known to be abused in the past by multiple malware families, such as ADB.Miner, in order to download and install malicious payloads.
The botnet’s encryption algorithm and the process of obtaining C2 are nested in layers, like Russian nesting dolls, hence the name Matryosh. However, Matryosh has no integrated scanning, vulnerability exploitation modules, its main functionality is focused on launching DDoS attacks, it supports tcpraw, icmpecho, udpplain attacks.
The malware uses the Tor network to hide its command and control servers and leverages a multi-layered process for obtaining the address of this server.
“The function of Matryosh is relatively simple, when it runs on infected device, it renames the process and prints out the stdin: pipe failed to confuse the user. Then decrypts the remote hostname and uses the DNS TXT request to obtain TOR C2 and TOR proxy. After that establishes connection with the TOR proxy. And finally communicates with TOR C2 through the proxy and waits for the execution of the commands sent by C2,” the researchers said.
Based on some clues, the Netlab team believes that the Matryosh botnet is the work of the Moobot group, a threat actor behind the Moobot botnet and the LeetHozer botnet, first observed in 2019 and 2020 accordingly.
“Matryosh's cryptographic design has some novelty, but still falls into the Mirai single-byte XOR pattern, which is why it is easily flagged by antivirus software as Mirai; the changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2 by downlinking the configuration from the cloud, doing this will bring some difficulties to static analysis or simple IOC simulator,” the researchers said.