Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks.
Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address “176.65.139[.]44” without requiring any authentication.
The malware supports “21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection,” Hunt.io said, adding it’s offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts.
What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes, set-top boxes, smart TVs, could be a potential target.
Besides an Android APK (“boot.apk”, the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating it’s also designed to target residential routers and internet-of-things (IoT) hardware.
The result is a purpose-built botnet engineered to receive an attack command from the operator’s panel (“xlabslover[.]lol”) and generate a flood of junk traffic on demand, specifically directing the DDoS attack against game servers.
“The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp,” Hunt.io explained. “The operator’s nine-variant payload list is tuned for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.”
There is evidence indicating that the DDoS-for-hire service features bandwidth-tiered pricing. This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation.
This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to assign each compromised device to a pricing tier for its paying customers.
An important aspect to note here is that the botnet exists after sending the bandwidth information in Megabits per second (Mbps), meaning the operator must re-infect the device a second time through the same ADB exploitation channel, given the absence of a persistence mechanism.
“The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,” Hunt.io said. “This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent.”
xlabs_v1 also features a “killer” subsystem to terminate competitors so that it can usurp the victim device’s full upstream bandwidth to itself and use it to carry out the DDoS attack. It’s currently not known who is behind the malware, but the threat actor goes by the moniker “Tadashi,” as evidenced by a ChaCha20-encrypted string embedded in every build of the bot.
Further analysis of the co-located infrastructure has uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, although it’s currently not known if the two sets of activities are the work of the same threat actor.
“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork […], but less sophisticated than the top tier of commercial DDoS-for-hire operations,” Hunt.io said. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target.”
The development comes as Darktrace revealed that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet downloaded from a remote server (“103.177.110[.]202”), while simultaneously taking steps to evade detection.
“The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers,” the company said. “This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.”
