Cybersecurity researchers have uncovered a new botnet, known as xlabs_v1, derived from the notorious Mirai malware. This botnet targets devices with internet-exposed Android Debug Bridge (ADB), enlisting them in a network designed to execute distributed denial-of-service (DDoS) attacks. Hunt.io made this discovery after finding an exposed directory on a server in the Netherlands, which revealed the malware's capabilities and its operation.
The xlabs_v1 botnet supports 21 different flood variants across TCP, UDP, and raw protocols, making it capable of bypassing standard consumer-grade DDoS protection. Its primary targets include game servers and Minecraft hosts. The botnet is particularly dangerous because it seeks out Android devices with an ADB service running on TCP port 5555. Devices like Android TV boxes, set-top boxes, and smart TVs are potential targets and can be easily compromised if they have ADB enabled by default.
The malware includes an APK named 'boot.apk' and supports multiple architectures such as ARM, MIPS, x86-64, and ARC. This indicates that it is also aimed at compromising residential routers and various internet-of-things (IoT) hardware. Once compromised, these devices can be instructed to flood game servers with junk traffic on demand, facilitated by commands from the operator's control panel.
A noteworthy aspect of xlabs_v1 is its use of a 'killer' subsystem designed to eliminate competing malware, thus monopolizing the device's bandwidth for its own attacks. The botnet operates on a bandwidth-tiered pricing model, where compromised devices are assigned pricing tiers based on their bandwidth capacity, measured through a saturation test. Interestingly, the botnet lacks a persistence mechanism and requires re-infection for continuous operation.
The threat actor behind this botnet, known as Tadashi, has embedded a ChaCha20-encrypted string in each build of the bot. Additional analysis has revealed a Monero-mining toolkit on a related server, though it is unclear if the same actor is responsible for both activities. Experts describe xlabs_v1 as a mid-tier botnet, more advanced than typical Mirai forks but less sophisticated than elite commercial DDoS-for-hire operations. The gaming industry remains a prime target for such attacks, emphasizing the need for server operators to implement robust protection measures.


