A new DDoS botnet propagates via the Android Debug Bridge and uses Tor to hide its activity.

Researchers are warning a new botnet is recycling the Mirai malware framework and is now targeting Android devices in order to launch distributed denial-of-service (DDoS) attacks.

The botnet is dubbed Matryosh (after a Matryoshka Russian nesting doll) due to many of its functions being “nested” in layers, researchers said. The botnet propagates through the Android Debug Bridge (ADB) interface. This is a command-line utility that is included in Google’s Android software development kit (SDK). ADB allows developers to communicate with devices remotely, to execute commands and to fully control the device.

Also of note, Matryosh uses the Tor network to cloak its malicious activity and prevent command server takedowns.

, Android Devices Prone to Botnet’s DDoS Onslaught

“The changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2,” said researchers with 360 Netlab this week. “Doing this will bring some difficulties to static analysis or simple IOC simulator.”

Android Debug Bridge Used For Botnet Propagation

ADB is completely unauthenticated – but in order to abuse it attackers would need to first enable the Debug Bridge on the device. However, many vendors have shipped products with the Android Debug Bridge enabled.

This means that the feature is listening on port 5555 and enables anyone to connect with affected devices over the internet. Researchers did not specify which vendors leave the feature on in their Android devices by default. Android devices can vary from smartphones to televisions.

“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’ — the administrator mode — and then silently install software and execute malicious functions,” security researcher Kevin Beaumont has previously written about ADB. Beyond Matryosh, many botnets have leveraged this issue – including ADB.Miner.

Matryosh: A Mirai Botnet Copycat

Researchers first discovered Matryosh in a suspicious ELF file on Jan. 25. Anti-virus software detectors labeled the file as Mirai; however, upon closer inspection researchers found that the network traffic of the file did not match Mirai’s characteristics. That’s because Matryosh reuses Mirai’s framework.

Mirai is an infamous botnet most widely known for its massive DDoS attack against DNS provider Dyn in 2016, which crippled Internet service on the East Coast of the United States and took down several popular services (such as Netflix).

In 2016, Mirai’s alleged author released its source code – making it easier for copycats to launch their own Mirai variants.

New Botnet Features in Matryosh

Researchers noted that Matryosh’s cryptographic design “has some novelty” – but still falls into the Mirai single-byte XOR pattern. This is a downfall for the botnet because it is easily flagged by anti-virus software systems as Mirai, they said.

Beyond this, the botnet has no integrated scanning features or vulnerability exploitation modules, researchers noted.

What does stand out about the botnet is its use of Tor proxies, which is obtained from remote hosts via a DNS TXT record (a record that stores text notes on a DNS server).

“The function of Matryosh is relatively simple, when it runs on [the] infected device, it renames the process … to confuse the user,” said researchers. “Then [it] decrypts the remote hostname and uses the DNS TXT request to obtain [the] TOR C2 and TOR proxy.”

After establishing a connection with the TOR proxy, the botnet communicates with the TOR C2 through the proxy and waits for the execution of the commands sent by C2.

Who is Behind the Matryosh Botnet?

Researchers speculate that the Moobot group is behind Matryosh. Moobot is a fairly new botnet family based on Mirai botnet, which targets internet of things (IoT) devices.

Researchers mde these conclusions because Matryosh and Moobot’s recent LeetHozer botnet branch have several similarities. For instance, they both use a model like the TOR C2, and their C2 port (31337) and attack method names are the same. Finally, the C2 command format is “highly similar,” said researchers.

Matryosh is only one of many recent botnet strains to surface, which over the past years have included Kaiji, Dark_Nexus, MootBot and the DDG botnet.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!