New Botnet Reuse the Mirai Framework to Perform DDoS Attack on Android Devices

Recently, the Chinese security firm Qihoo 360’s networking security division Netlab has discovered a nascent malware campaign. 

This campaign has been spotted co-opting the Android devices into a botnet along with the principal objective of carrying out distributed denial-of-service (DDoS) attacks.

The botnet malware that has been detected by the researchers at Qihoo 360’s Netlab are summoning it “Matryosh”. The security firm’s 360 Netlab BotMon system has marked a suspect ELF file as Mirai, but the network traffic didn’t match the characteristics of Mirai.

After proper investigations, the experts came to know that this is a new botnet that has reused the Mirai framework, developed through the ADB interface.

Here, the main reason for call its Matryosh is that its functions are layered like a Russian matryoshka nesting doll, utilizing the Android Debug Bridge (ADB) interface to affect all the devices.


According to the report, that has been declared by the Chinese experts, Matryosh is propagated via ABD, and its main function is to download and perform scripts from the remote host

The primary function of the downloaded script is to download and execute Matryosh samples of multiple CPU designs from the remote host.

As this botnet, Matryosh simply collects all the encrypted sensitive resources to prevent the appropriate functions, so that the experts can’t spot them.  

Matryosh Uses Tor Network

Moreover, the Matryosh uses the Tor network, and the main reason for using this network is that it helps in hiding its command-and-control servers. Furthermore, it uses a multi-layered method so that it can get the server address. 

Connection with Moobot group

Moobot group is one of the innovating group in encryption algorithms and network communication, and it’s the most active botnet too. The Chinese experts have detected a new branch that this new group has generated.  

The branch name is LeetHozer, and it was detected on April 27, 2020, when the Moobot group compared with Matryosh, the experts found some similarities. And the similarities were reflected in the three features, and here we have mentioned them below:-

  • Utilizing a model like TOR C2
  • C2 port (31337) & attack process name is the same
  • C2 command format is very similar

What can users do? 

Users can simply, turn off their ADB feature going to the setting in the OS options, but this kind of option is not available in many other Android devices.  

Therefore, many systems remain vulnerable and exposed, however providing botnets like Matryosh and others with a substantial mass of devices they can exploit for crypto-mining, DNS hijacking, or DDoS attacks.

Matryosh is one of the active cryptographic design, but, still, it is not strong enough to tackle with  Mirai single-byte XOR pattern, which is why it is undoubtedly flagged by antivirus software as Mirai.

The experts are trying there best to summons all the possible outcomes, and provide the best suggestions for the users. But, in reality, the Matryosh botnet doesn’t seem to have prepared anything fancy for the long run.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.