Researchers at Netlab have discovered a new botnet that re-uses the Mirai framework to pull vulnerable Android devices into DDoS attacks.
The new botnet, which is called Matryosh, is named after the Russian nesting dolls because the encryption algorithm it uses, and the process of obtaining command and control (C2) are nested in layers. The botnet supports DDoS attacks using tcpraw, icmpecho, and udpplain attacks.
How does Matryosh spread?
Like other botnets before it, Matryosh propagates via Android Debug Bridge (ADB), a diagnostic and debugging interface that uses port 5555. While ADB has a genuine use for developers, an internet-facing ADB also opens the way for remote attacks.
