According to Qihoo 360's Netlab researchers, Matryosh has been discovered as reusing the Mirai botnet framework and propagates via Android Debug Bridge (ADB) interfaces to infect Android devices. While ADB command-line tool is part of the Android SDK that allows developers to debug apps and also, handles communications on Android devices.
Albeit, the command-line tool functions are turned off by default on most Android devices, but some vendors have this feature enabled, which could allow attackers to connect remotely and open the devices to exploitation.
How Matryosh DDoS Botnet targets Android-Based Devices
First, Matryosh decrypts the remote hostname and uses DNS TXT request to obtain TOR C2 and TOR proxy, which it then establishes a connection with the TOR proxy to communicate with the TOR C2 server through the proxy, and for further instructions from the server.
It is propagated via ADB, with the captured payload, whose main function is to download and execute scripts from the remote host. And the encryption algorithm implemented in Matryosh and the process of obtaining C2 are nested in layers. This botnet stands out from other such malware campaigns as it uses Tor to mask its activities and funnel the commands from an attacker-controlled server via the network.
And Matryosh also stores sensitive resources encrypted to prevent the relevant functions from being spotted by cybersecurity researchers.
Efforts to thwart Matryosh DDoS Botnet from Spreading
Matryosh's cryptographic design falls into the Mirai single-byte XOR pattern, which made it easy to be flagged by antivirus software as Mirai; but the changes at the network level indicates that its authors wanted to protect the C2 by downlinking the configuration from the cloud, which brings some difficulties to static analysis.
The act of putting all remote hosts under the same SLD, though not optimal, might change and Qihoo 360's Netlab researchers have promised to keep an eye on it. As all the related domains have been blocked by their DNSmon system.