The world of cybersecurity is a complex and ever-evolving landscape, and the latest discovery by Hunt.io researchers highlights a concerning trend: the emergence of a new botnet, xlabs_v1, derived from the infamous Mirai malware. This botnet targets Android devices with exposed Android Debug Bridge (ADB) services, posing a significant threat to IoT devices and game servers.
What makes xlabs_v1 particularly insidious is its ability to exploit ADB, a tool often pre-installed on Android devices like TV boxes, set-top boxes, and smart TVs. By identifying and connecting to these devices, the botnet can enlist them in a network capable of launching devastating distributed denial-of-service (DDoS) attacks. The botnet supports a range of flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, which can bypass consumer-grade DDoS protection.
The malware is offered as a DDoS-for-hire service, targeting game servers and Minecraft hosts. It's designed to receive attack commands from an operator's panel, generating a flood of junk traffic on demand. The botnet's operator, known as 'Tadashi,' employs a 'killer' subsystem to terminate competitors, ensuring they can usurp the victim device's full upstream bandwidth for their DDoS attacks.
One intriguing aspect of xlabs_v1 is its pricing structure. The botnet features a bandwidth-profiling routine that collects victim bandwidth and geolocation data. It then opens 8,192 parallel TCP sockets to the nearest Speedtest server, saturating them for 10 seconds and reporting the data transfer rate back to the panel. This routine suggests a tiered pricing system, where each compromised device is assigned a pricing tier based on its bandwidth capacity.
However, the botnet's design lacks a persistence mechanism, requiring re-infection through the same ADB exploitation channel. This approach, as Hunt.io notes, is more of an infrequent fleet-tier-update operation than a per-attack pre-flight check. The botnet's operator, Tadashi, views bandwidth probing as a strategic move rather than a routine check, leading to an exit-and-re-infect cycle.
The emergence of xlabs_v1 comes at a time when the gaming industry is under constant cyber attack. Darktrace's discovery of a misconfigured Jenkins instance being targeted by unknown threat actors to deploy a DDoS botnet further underscores the vulnerability of online games. The company emphasizes the need for server operators to implement appropriate mitigations to protect against such attacks.
In conclusion, the xlabs_v1 botnet represents a sophisticated and evolving threat to IoT devices and game servers. Its ability to exploit ADB and launch DDoS attacks highlights the importance of robust cybersecurity measures and the need for continuous vigilance in the face of emerging cyber threats.
