While Matryosh targets Android users by reusing the Mirai botnet framework which propagates via Android Debug Bridge (ADB) interfaces to infect Android devices. The ADB command-line tool is also part of the Android SDK that allows developers to debug their apps and handle communications on Android devices.
On the other hand, the ZHtrap botnet employs a similar technique by integrating an IP collection module for gathering IP addresses which are used as targets for worm-like propagation.
How ZHtrap Botnet traps Victims using a Honeypot?
The ZHtrap botnet gather IP addresses that are used as targets for further worm-like propagation, in addition to setting up a honeypot on the infected device.
It takes advantage of known vulnerabilities to propagate, and besides functionality such as DDoS and scanning, ZHtrap also implements backdoor functionality, which allows it to take snapshots from the victim devices, and disable the running of new commands, thus maintaining exclusivity over the device.
And by identifying IP addresses that connect to 23 designated ports, ZHtrap amasses IP addresses which it uses to inspect for the vulnerabilities, in order to inject the payload.
ZHtrap uses Tor C2 and communicates with the C2 using a proxy, with the first packet as the header and the second packet as the body; after sending the registration packet, it waits for the C2 to send the command, and if the header of the command packet passes the check, it selects the processing flow based on the command specified by the third byte in the header.
Obviously, ZHtrap takes a cue from Matryosh by using Tor for communication with a c2 server to download and execute its payloads. Albeit, many botnets uses worm-like scan propagation, ZHtrap's honeypot marks an "interesting" evolution of botnets to facilitate finding more targets.