Cybersecurity researchers have published a new Mirai-derived botnet that targets internet-exposed devices that self-identify as xlabs_v1 and are running Android Debug Bridge (ADB), allowing them to join the network to perform distributed denial of service (DDoS) attacks.
Hunt.io, which detailed the malware, said it discovered it after identifying a published directory on a server with IP address 176.65.139 hosted in the Netherlands.[.]44 inches that does not require certification.
Hunt.io added that the malware supports “21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-style UDP, that can bypass consumer-grade DDoS protections,” and is offered as a DDoS rental service designed to target game servers and Minecraft hosts.
The highlight of xlabs_v1 is that it explores Android devices running ADB services exposed on TCP port 5555. This means Android TV boxes, set-top boxes, smart TVs, and any device that comes with a tool that is enabled by default could be a potential target.
In addition to Android APKs (‘boot.apk’), the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating that it is also designed to target residential routers and Internet of Things (IoT) hardware.
The result was a dedicated botnet designed to receive attack commands from the operator’s panel (‘xlabslover'[.]lol”) Generates large amounts of junk traffic on demand and directs DDoS attacks, especially against game servers.
“The bot is a statically linked ARMv7, running on stripped Android firmware, and is delivered through an ADB shell paste to /data/local/tmp,” Hunt.io explained. “The operator’s nine-payload list is tailored for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.”
There is evidence that DDoS rental services feature pricing based on bandwidth. This assessment is based on the presence of bandwidth profiling routines that collect the victim’s bandwidth and geographic location.
This component opens 8,192 parallel TCP sockets to the geographically closest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate to the panel. According to Hunt.io, the goal is to assign each compromised device to a price tier for paying customers.
The important aspect to note here is that the botnet exists after transmitting bandwidth information in megabits per second (Mbps). This means that without a persistence mechanism, operators would have to reinfect the device twice through the same ADB exploit channel.
“This bot does not write itself to disk persistence locations, modify init scripts, create systemd units, or register cron jobs,” Hunt.io said. “This design suggests that carriers view bandwidth probing as an infrequent fleet tier update operation rather than a pre-flight check for each attack, and the resulting cycle of egress and reinfection is the design intent.”
xlabs_v1 also has a “killer” subsystem that terminates competitors, allowing it to commandeer the victim device’s entire upstream bandwidth for itself and use it to perform DDoS attacks. It is currently unknown who is behind the malware, but the attacker has been nicknamed “Tadashi” due to the ChaCha20-encrypted strings embedded in all builds of the bot.
Further analysis of the coexisting infrastructure revealed the presence of the VLTRig Monero mining toolkit on host 176.65.139.[.]However, it is currently unclear whether the two activities are the work of the same attacker.
“In commercial crime terms, xlabs_v1 is mid-tier. It’s more sophisticated than the typical script-kiddie Mirai fork.” […]However, it is not as sophisticated as the top tier of commercial DDoS rental operations,” Hunt.io said. “This operator competes on price and attack diversity rather than technological sophistication. It targets consumer IoT devices, home routers, and small game server operators.”
This development comes after Darktrace revealed that an intentionally misconfigured Jenkins instance in a honeypot network was targeted by an unknown attacker to deploy a DDoS botnet downloaded from a remote server (‘103.177.110’).[.]202″), while also taking steps to avoid detection.
“The existence of gaming-specific DoS techniques further highlights that the gaming industry continues to be a widespread target for cyber attackers,” the company said. “This botnet is likely already being used against game servers and serves as a reminder to server operators that appropriate mitigation measures are in place.”
Source link
