botnet

Researchers discover new Matryosh botnet

Introduction

On January 25, 2021, the researchers’ monitoring system marked the suspicious ELF file as Mirai, but the network traffic did not match the Mirai characteristics. This anomaly attracted the attention of researchers.

After analysis, it was determined that this is a new botnet that reused the Mirai framework. It redesigned the encryption algorithm and obtained the proxy TXT from the remote host through TOR C2. The encryption algorithm implemented in the botnet and the acquisition process are nested in multiple layers like Russian nested dolls, so we named it Matryosh .

As the analysis progressed, more details emerged. Based on the similarity of the command, we speculate that this is another attempt by the Moobot group, which is currently active.

Matryosh does not have integrated scanning and vulnerability exploitation modules. Its main function is DDoS attacks. It supports tcpraw, icmpecho, and udpplain attacks. The basic process is shown in the figure below.

clip_image001

Matryosh is currently spread via adb, and the main function of the captured payload is to download and execute scripts from a remote host on 199.19.226.25. The downloaded script is shown below. Its main function is to download and execute Matryosh examples of various CPU architectures from a remote host.

clip_image002

In Conclusion:

Matryosh uses a novel password design method, but it still belongs to Mirai’s single-byte XOR mode, which is why antivirus software can easily mark it as Mirai. The changes in the level of network communication indicate that Matryosh developers hope to implement a mechanism to protect by sending configurations from the cloud. Doing so will bring some difficulties to static analysis or simple IOC simulators.

IOCs

kk.hiddenservice.xyz
er.hiddenservice.xyz
jy.hiddenservice.xyz
fe.hiddenservice.xyz
xf.hiddenservice.xyz
oc.hiddenservice.xyz
jb.hiddenservice.xyz
ai.hiddenservice.xyz
bi.hiddenservice.xyz
fg.hiddenservice.xyz
hosts.hiddenservice.xyz
onion.hiddenservice.xyz

4qhemgahbjg4j6pt.onion:31337

46.105.34.51:999
139.99.239.154:9095
139.99.134.95:9095
198.27.82.186:9050
188.165.233.121:9151
198.245.53.58:9095
51.83.186.134:9095
139.99.45.195:9050
51.195.91.193:9095
147.135.208.13:9095

6d8a8772360034d811afd74721dbb261
9e0734f658908139e99273f91871bdf6
c96e333af964649bbc0060f436c64758
e763fab020b7ad3e46a7d1d18cb85f66
594f40a39e4f8f5324b3e198210ac7db
1151cd05ee4d8e8c3266b888a9aea0f8
93530c1b942293c0d5d6936820c6f6df
b9d166b8e9972204ac0bbffda3f8eec6
83ae18f30b0b62be8e93d78071b5353b371dbba3
e426d0e887ee9ed633f3b2b77397d722a0a6b375
0f01f01bdaf673e527271a0afc7bf99e9e725926
5c8a2a01b01b6936db943f0ac7333a7d3209ff49
9c5a92716d1585d7d6f170017a2fd338ac5b3282
ea3dc1fc68bf22fbe1737753233f0e823c7c4c6b
cff758b5c0eaadeb8e7be306ab2f0a1806bd4501455f3ce02db2ed7426d9a2cb
c2f3362bea0161a1271fa86d862d7d33d397d58e1ef6bd008ad2ccbf1c34ee16
c0a4f8d6b11d1492b9c0ea5cfff1b732567152e87bcc71694592425e53d520db
7b4f8d6c4e8767d55e3f34ae356845d50f18b86ac3a3c59eed98ae7aa5970251
c56a72b77af93bdd95e333f0494d467d83e9ceaa4c8505753ca0d2a733f7e5af
d54827a54be0e45c55f709a29d1fc9dc19445895b30a7583b162223b21dac660