On January 25, 2021, his researchers 360 netlab spotted a suspect file ELF, who initially associated it with Mirai botnet. However, after further research, they concluded that this file was linked to a new botnet called "Matryosh". In particular, the researchers mentioned in their relevant analysis the following: "On January 25, 2021, 360 netlab identified a suspicious ELF file as Mirai, but the network traffic does not match Mirai features. This anomaly caught our attention and after analysis, we decided it was a new botnet that reused Mirai framework"It spread through exposed Android Debug Bridge (ADB) interfaces and targeted Android-based devices, with the primary goal of performing DDoS attacks."
Android Debug Bridge (ADB) is a command line tool that allows developers to communicate with an Android device. The ADB command facilitates a variety of device actions, such as installing and debugging applications, while providing access in a Unix shell that you can use to execute a variety of commands on a device.
ADB could be abused by malware, to target Android devices through port 5555. By default, Android has disabled the Android Debug Bridge (ADB) option. However, vendors often allow the operating system to adapt, thus "infecting" devices that have the feature enabled.
The Matryosh botnet, which targets Android-based devices for DDoS attacks, uses network Tor to avoid detection. In addition, the researchers pointed out that the encryption algorithm applied to this botnet and the C2 acquisition process are placed in layers, like Russian nesting dolls. For this very reason, they gave the botnet the name "Matryosh".
They also found a resemblance to the C2 instructions used by Moobot, which continues to be very active at this time.
According to Security Affairs, Matryosh botnet initially decrypts the remote hostname computer and uses the DNS TXT request to obtain TOR C2 and TOR proxy, and then connects to the TOR proxy. The botnet communicates with TOR C2 via the proxy and waits for orders from C&C server.
According to the researchers, the cryptographic design of Matryosh has some innovation, but it still falls into the Mirai single-byte XOR pattern, so it is easily highlighted by antivirus software as Mirai. Changes in the network communication level suggest that its creators wanted to implement a mechanism to protect C2 by downlinking the configuration from in cloud, which will bring some difficulties in static analysis or in the simple IOC simulator.