Threat Database Botnets Matryosh Botnet

Matryosh Botnet

Infosec researchers discovered a new botnet that is still in its initial stages of being established. Named Matryosh, the botnet exploits Android devices that have the Android Debug Bridge left enabled and exposed to the Internet by the vendor. The issue involving this diagnostics and debugging interface has already been used as a compromise vector by several different malware strains through the past couple of years. Some of the threats include Trinity, ADB.Miner, FbotAres and IPStorm. It also should be noted that Matryosh Botnet shares several striking similarities with two previously deployed botnets named Moobot and LeetHozer, leading researchers to the conclusion that the same attack group is responsible for all three. 

What sets Matryosh Botnet apart is that its Command-and-Control (C2, C&C) server is hosted on the TOR network, making them that much harder to detect. Furthermore, the threat obtains the address of the server by performing a complex multi-layered process. 

When deployed, Matryosh will be able to carry out DDoS (Distributed Denial-of-Service) attacks, which also were the primary function of the previous two botnets deployed by the hacker group. The attack can be launched via the TCP, UDP and ICMP protocols. 


Most Viewed