A recently emerged malware operation/mission has been found trapping Android-based devices into a botnet with the only aim to perform DDoS (Distributed Denial-of-Service) attacks on them. Researchers from Qihoo 360’s Netlab dubbed the malware as Matryosh.
It was discovered that the malware is reutilizing the framework of the Mirai botnet. This malware spreads via the exposed ADB (Android Debug Bridge) interfaces to contaminate other Android-based devices and trap them as well into their network or botnet.
Android SDK manages the communication and also serves the developers to download/install and debug several applications over the devices and Android Debug Bridge is the command-line tool of it. On the majority of Android-based devices, this feature is turned off by default but some merchants sell devices with this feature enabled which allows threat actors to connect with the device remotely by utilizing the TCP port 5555 which exposes the devices for exploitation.
This is not the first instance of attackers utilizing ADB to contaminate devices that are vulnerable. Open ADB ports were utilized to spread numerous Satori botnet variations, also involving Fbot, in July 2018, and after a year, another cryptocurrency mining botnet malware was found, making advances utilizing a similar interface to target Android gadget clients in Korea, Taiwan, Hong Kong, and China.
In any case, what makes Matryosh stand apart is its utilization of Tor to veil its malevolent action and channel commands from an assailant-controlled server via the network. Researchers from the Netlab said, “The process of obtaining C2 are nested in layers, like Russian nesting dolls.”
In order to accomplish this, Matryosh first decodes the remote hostname and utilizes the DNS TXT demand, a kind of asset record to get TOR C2 and TOR proxy. Consequently, it builds up an association with the TOR proxy, and speaks with the TOR C2 server through the proxy, and anticipates further directions from the server. Netlab specialists said that the arising botnet’s command arrangement and its utilization of TOR C2 are exceptionally like that of another botnet known as LeetHozer which has been created by the Moobot group.
Researchers conclude by saying that, “Matryosh’s cryptographic design has some novelty, but still falls into the Mirai single-byte XOR pattern, which is why it is easily flagged by antivirus software as Mirai; the changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2 by downlinking the configuration from the cloud, doing this will bring some difficulties to static analysis or simple IOC simulator. However, the act of putting all remote hosts under the same SLD is not optimal, it might change and we will keep an eye on it. All the related domains have been blocked by our DNSmon system. Based on these considerations, we speculate that Matryosh is the new work of this parent group.”