Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices

2021-02-04T10:48:00

Description

[![](https://thehackernews.com/images/-4fZ9lMDyOdk/YBvQI98SiUI/AAAAAAAABsA/gpgtZEzvrRMfzs5NObqpS8A8h-NdNVaMwCLcBGAsYHQ/s0/hacker.jpg)](<https://thehackernews.com/images/-4fZ9lMDyOdk/YBvQI98SiUI/AAAAAAAABsA/gpgtZEzvrRMfzs5NObqpS8A8h-NdNVaMwCLcBGAsYHQ/s0/hacker.jpg>) A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks. Called "[Matryosh](<https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/>)" by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network. ADB is a [command-line tool](<https://developer.android.com/studio/command-line/adb>) part of the Android SDK that handles communications and allows developers to install and debug apps on Android devices. While this option is turned off by default on most Android smartphones and tablets, some vendors ship with this feature enabled, thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and open the devices directly to exploitation. This is not the first time a botnet has taken advantage of ADB to infect vulnerable devices. In July 2018, open ADB ports were used to spread multiple [Satori botnet](<https://www.trendmicro.com/en_us/research/18/g/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices.html>) variants, including [Fbot](<https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/>), and a year later, a new [cryptocurrency-mining botnet](<https://www.trendmicro.com/en_us/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html>) malware was discovered, making inroads using the same interface to target Android device users in Korea, Taiwan, Hong Kong, and China. [![](https://thehackernews.com/images/-LVnlQ93k3po/YBvQbe6k-pI/AAAAAAAABsI/--0FN5DTI08vXKuIzS1dH24B4YxkS_uagCLcBGAsYHQ/s0/bash.jpg)](<https://thehackernews.com/images/-LVnlQ93k3po/YBvQbe6k-pI/AAAAAAAABsI/--0FN5DTI08vXKuIzS1dH24B4YxkS_uagCLcBGAsYHQ/s0/bash.jpg>) But what makes Matryosh stand out is its use of Tor to mask its malicious activity and funnel commands from an attacker-controlled server through the network. "The process of obtaining C2 are nested in layers, like [Russian nesting dolls](<https://en.wikipedia.org/wiki/Matryoshka_doll>)," Netlab researchers said. To achieve this, Matryosh first decrypts the remote hostname and uses the [DNS TXT](<https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/>) request — a type of resource record — to obtain TOR C2 and TOR proxy. Subsequently, it establishes a connection with the TOR proxy, and communicates with the TOR C2 server through the proxy, and awaits further instructions from the server. Netlab researchers said the emerging botnet's command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer that's developed by the Moobot group. "Based on these considerations, we speculate that Matryosh is the new work of this parent group," the researchers concluded. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:6B4DB556BA4414F91FE5AF8BEE472FB3", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices", "description": "[![](https://thehackernews.com/images/-4fZ9lMDyOdk/YBvQI98SiUI/AAAAAAAABsA/gpgtZEzvrRMfzs5NObqpS8A8h-NdNVaMwCLcBGAsYHQ/s0/hacker.jpg)](<https://thehackernews.com/images/-4fZ9lMDyOdk/YBvQI98SiUI/AAAAAAAABsA/gpgtZEzvrRMfzs5NObqpS8A8h-NdNVaMwCLcBGAsYHQ/s0/hacker.jpg>)\n\nA nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks.\n\nCalled \"[Matryosh](<https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/>)\" by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network.\n\nADB is a [command-line tool](<https://developer.android.com/studio/command-line/adb>) part of the Android SDK that handles communications and allows developers to install and debug apps on Android devices.\n\nWhile this option is turned off by default on most Android smartphones and tablets, some vendors ship with this feature enabled, thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and open the devices directly to exploitation.\n\nThis is not the first time a botnet has taken advantage of ADB to infect vulnerable devices.\n\nIn July 2018, open ADB ports were used to spread multiple [Satori botnet](<https://www.trendmicro.com/en_us/research/18/g/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices.html>) variants, including [Fbot](<https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/>), and a year later, a new [cryptocurrency-mining botnet](<https://www.trendmicro.com/en_us/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html>) malware was discovered, making inroads using the same interface to target Android device users in Korea, Taiwan, Hong Kong, and China.\n\n[![](https://thehackernews.com/images/-LVnlQ93k3po/YBvQbe6k-pI/AAAAAAAABsI/--0FN5DTI08vXKuIzS1dH24B4YxkS_uagCLcBGAsYHQ/s0/bash.jpg)](<https://thehackernews.com/images/-LVnlQ93k3po/YBvQbe6k-pI/AAAAAAAABsI/--0FN5DTI08vXKuIzS1dH24B4YxkS_uagCLcBGAsYHQ/s0/bash.jpg>)\n\nBut what makes Matryosh stand out is its use of Tor to mask its malicious activity and funnel commands from an attacker-controlled server through the network.\n\n\"The process of obtaining C2 are nested in layers, like [Russian nesting dolls](<https://en.wikipedia.org/wiki/Matryoshka_doll>),\" Netlab researchers said.\n\nTo achieve this, Matryosh first decrypts the remote hostname and uses the [DNS TXT](<https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/>) request \u2014 a type of resource record \u2014 to obtain TOR C2 and TOR proxy. Subsequently, it establishes a connection with the TOR proxy, and communicates with the TOR C2 server through the proxy, and awaits further instructions from the server.\n\nNetlab researchers said the emerging botnet's command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer that's developed by the Moobot group.\n\n\"Based on these considerations, we speculate that Matryosh is the new work of this parent group,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-02-04T10:48:00", "modified": "2021-02-04T10:48:55", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html", "reporter": "The Hacker News", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-05-09T12:39:08", "viewCount": 154, "enchantments": {"dependencies": {}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "_state": {"dependencies": 0}, "_internal": {}}