Security researchers at the China-based Netlab 360 security firm have discovered a new botnet re-using the Mirai botnet framework. Dubbed Matryosh, the botnet has its own unique characteristics and spreads through Android devices that expose the Android Debug Bridge (ADB) feature to the Internet. Taking after the source that it is based on, the main purpose of Matryosh is to conduct Distributed Denial-of-Service (DDoS) attacks. Analysis by Netlab shows that the payload used in the attacks does not contain any code for network scanning or exploitation. Though simple in nature, the process for finding a command and control (C2) server involved decrypting a hard-coded hostname to perform a DNS TXT record request, revealing a Tor C2 and proxy. All communication to the C2 is done through this proxy.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in