Matryosh DDoS botnet targets Android-Based devices via ADB

Netlab researchers spotted a new Android malware, dubbed Matryosh, that is infecting devices to recruit them in a distributed denial-of-service (DDoS) botnet.

On January 25, 2021, researchers at 360 netlab detected a suspicious ELF file, initially attributed to Mirai, but that later revealed his nature, a new bot tracked as Matryosh.

“On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai’s characteristics. This anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai framework, propagated through the ADB interface, and targeted Android-like devices with the main purpose of DDoS attacks.” reads the analysis published by the experts.

The Matryosh bot reuses the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android-like devices.

The main purpose of the Android botnet is to carry out DDoS attacks.

The Android Debug Bridge (adb) is a command-line tool that allows developers to communicate with an Android device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.

The ADB could be abused by malware to target Android phones through port 5555. By default, Android has Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.

Unlike similar threats, Matryosh uses the Tor network to avoid detection.

“The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, like Russian nesting dolls.For this reason we named it Matryosh.” continues the analysis.

Experts found a similarity of C2 instructions employed by the Moobot threat actor, which continues to be very active in this period.

The Matryosh initially decrypts the remote hostname and uses the DNS TXT request to obtain TOR C2 and TOR proxy, then it connects with the TOR proxy. The bot communicates with TOR C2 through the proxy and waits for commands from the C&C server.

“Matryosh’s cryptographic design has some novelty, but still falls into the Mirai single-byte XOR pattern, which is why it is easily flagged by antivirus software as Mirai; the changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2 by downlinking the configuration from the cloud, doing this will bring some difficulties to static analysis or simple IOC simulator.” concludes the post.

“However, the act of putting all remote hosts under the same SLD is not optimal, it might change and we will keep an eye on it.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]