A new, potent variant of the notorious Mirai botnet, dubbed ‘xlabs_v1’, has emerged, setting its sights on a vast array of internet-connected devices. Cybersecurity researchers at Hunt.io have uncovered this sophisticated threat, designed to exploit exposed Android Debug Bridge (ADB) services to conscript unsuspecting IoT devices into a formidable network capable of launching devastating Distributed Denial-of-Service (DDoS) attacks.
The Genesis of xlabs_v1: A Discovery
The discovery of xlabs_v1 came after Hunt.io identified an unsecured directory on a Netherlands-hosted server (IP address 176.65.139[.]44). This server, accessible without authentication, served as a crucial command and control point for the botnet. Further analysis revealed a malware payload boasting an impressive 21 flood variants, encompassing TCP, UDP, and raw protocols, including specialized techniques like RakNet and OpenVPN-shaped UDP. These capabilities allow xlabs_v1 to bypass many consumer-grade DDoS protections, making it a significant threat, particularly for game servers and Minecraft hosts, for whom it is offered as a DDoS-for-hire service.
ADB: The Achilles’ Heel of IoT Devices
What makes xlabs_v1 particularly insidious is its focus on Android devices with an exposed ADB service on TCP port 5555. This includes a wide range of common consumer electronics such as Android TV boxes, set-top boxes, and smart TVs, many of which ship with ADB enabled by default. Beyond Android APKs (like “boot.apk”), the malware’s multi-architecture support (ARM, MIPS, x86-64, and ARC) indicates a broader ambition to compromise residential routers and other general IoT hardware. The ultimate goal is to create a robust botnet, ready to unleash a torrent of junk traffic against specific targets, primarily game servers, upon command from its operator panel, “xlabslover[.]lol”.
How xlabs_v1 Infiltrates and Operates
Hunt.io’s research details the bot’s delivery mechanism: “The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp.” The operator’s carefully crafted nine-variant payload list is specifically optimized for the vulnerable Android TV boxes, set-top boxes, smart TVs, and other ARM-based IoT hardware that frequently leave ADB exposed.
A Business Model for Cybercrime: Bandwidth-Tiered Pricing
Intriguingly, the xlabs_v1 DDoS-for-hire service appears to operate on a bandwidth-tiered pricing model. This is evidenced by a sophisticated bandwidth-profiling routine. Compromised devices are instructed to open 8,192 parallel TCP sockets to the nearest Speedtest server, saturate them for 10 seconds, and report the measured data transfer rate back to the operator’s panel. This allows the threat actor to categorize each device into a specific pricing tier for their paying customers.
The Curious Case of Non-Persistence
One peculiar aspect of xlabs_v1 is its lack of a persistence mechanism. Unlike many botnets that embed themselves deeply within a system, this bot does not write itself to disk, modify init scripts, create systemd units, or register cron jobs. Hunt.io suggests this isn’t an oversight but a deliberate design choice: “This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent.” This means that after reporting bandwidth data, the bot exits, requiring the operator to re-infect the device via the same ADB channel for subsequent attacks.
Eliminating Competition: The “Killer” Subsystem
To maximize its destructive potential, xlabs_v1 incorporates a “killer” subsystem. This module is designed to identify and terminate rival botnet processes on a compromised device, ensuring that xlabs_v1 can monopolize the victim’s entire upstream bandwidth for its DDoS operations. This aggressive tactic highlights the competitive and cutthroat nature of the cybercrime underworld.
The Enigma of “Tadashi” and Co-located Threats
The identity of the xlabs_v1 operator remains unknown, though they use the moniker “Tadashi,” a name found in a ChaCha20-encrypted string embedded within every bot build. Further investigations into co-located infrastructure revealed a VLTRig Monero-mining toolkit on a nearby host (176.65.139[.]42). While the connection between these two activities is not yet confirmed, it raises questions about the full scope of the threat actor’s operations.
A Mid-Tier Threat with High Impact
Hunt.io categorizes xlabs_v1 as a “mid-tier” commercial-criminal operation. While more advanced than typical “script-kiddie” Mirai forks, it lacks the sophistication of top-tier DDoS-for-hire services. Its competitive edge lies in its pricing and diverse attack variants rather than cutting-edge technical prowess. The primary targets remain consumer IoT devices, residential routers, and small game-server operators.
Broader Implications for the Gaming Industry
This development comes amidst broader concerns about cyberattacks targeting the gaming industry. Darktrace recently reported on a misconfigured Jenkins instance in its honeypot network being exploited to deploy a DDoS botnet, with attackers employing evasion techniques. The prevalence of game-specific DoS methods underscores the ongoing vulnerability of gaming servers. Server operators are urged to implement robust mitigations to protect against these persistent threats.
For more details, visit our website.
Source: Link
Leave a comment