xlabs_v1 Mirai-Based Botnet Exploits ADB to Target IoT Devices in DDoS Attacks
Cybersecurity researchers have uncovered a new botnet created by Mirai posing as xlabs_v1 and targets Internet-exposed devices that use the Android Debug Bridge (ADB) to put them on a network capable of performing a distributed denial-of-service (DDoS) attack.
Hunt.io, which details the malware, said it discovered this after identifying the exposed index on a server hosted by the Netherlands at the IP address “176.65.139[.]44” without requiring any verification.
The malware supports “21 types of floods across TCP, UDP, and raw protocols, including RakNet and OpenVPN-based UDP, which can bypass consumer-grade DDoS protection,” Hunt.io said, adding that it is offered as a DDoS-for-hire service designed to target game servers and Minecraft hosts.
What makes xlabs_v1 notable is that it looks for Android devices that use the ADB service exposed on TCP port 5555, which means any gear that comes with the device enabled by default, such as Android TV boxes, set-top boxes, smart TVs, can be a potential target.
Besides the Android APK (“boot.apk”), the malware supports multiple architectures including ARM, MIPS, x86-64, and ARC, indicating that it is also designed to target residential routers and Internet of Things (IoT) hardware.
The result is a purpose-built botnet designed to receive an attack command from the user panel (“xlabslover[.]lol”) and generate tons of junk traffic on demand, directly targeting DDoS attacks on game servers.
“The bot is based on ARMv7, runs on stripped Android firmwares, and is delivered via ADB-shell pastes to /data/local/tmp,” Hunt.io explained. “Nine user-friendly payment lists are optimized for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.”
There is evidence that DDoS-for-hire services are pricing in bandwidth. This assessment is based on the existence of a bandwidth monitoring method that collects the victim’s bandwidth and geolocation.
This component opens 8,192 parallel TCP sockets on a local Speedtest server, fills them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to offer each vulnerable device in the price range of its paying customers.
An important aspect to be noted here is that the botnet exists after sending bandwidth information in Megabits per second (Mbps), which means that the operator must re-infect the device a second time using the same ADB exploit channel, given the absence of a persistence mechanism.
“The bot does not write to disk persistence, does not modify init scripts, does not create systemd units, and does not register cron jobs,” Hunt.io said. “This design suggests that the operator views the screening bandwidth as a function of updating each flight phase rather than checking each attack before the flight, and the result of the cycle of exit and re-infection is the purpose of the design.”
xlabs_v1 also has an “assassin” subsystem to intercept adversaries so that it can usurp the full bandwidth of a device’s upstream stream and use it for DDoS attacks. It is not yet known who created the malware, but the threat actor goes by the moniker “Tadashi,” as evidenced by the encrypted ChaCha20 thread embedded in all bot builds.
Further analysis of the clustered infrastructure revealed the VLTRig Monero mining toolkit on host 176.65.139[.]42, although it is currently unknown whether these two systems of activity are the work of the same threat actor.
“In commercial and piracy terms, xlabs_v1 is middle class. It’s more sophisticated than the usual script-kiddie Mirai fork […]but it is less sophisticated than the top tier of commercial DDoS-for-hire operations,” said Hunt.io. “This operator competes on price and attack diversity, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the targets. “
This update comes as Darktrace revealed that a deliberately misconfigured Jenkins incident on its honeypot network was targeted by unknown threat actors to launch a DDoS botnet downloaded from a remote server (“103.177.110)[.]202”), while simultaneously taking steps to avoid detection.
“The presence of game-specific DoS techniques further highlights that the gaming industry continues to be heavily targeted by cyber attackers,” the company said. “This botnet has probably already been used against game servers, which serves as a reminder to server operators to ensure proper mitigation.”
