Your Android TV box or smart TV could be part of a DDoS army right now. And you would never know.
Security researchers at Hunt.io have uncovered a new Mirai botnet ADB DDoS attack campaign that self-identifies as xlabs_v1. The malware targets internet-exposed devices running Android Debug Bridge (ADB) on TCP port 5555.
The Mirai botnet ADB DDoS attack recruits Android TV boxes, set-top boxes, smart TVs, and IoT devices into a network capable of launching massive distributed denial-of-service attacks against game servers and Minecraft hosts.
What Is xlabs_v1?
The Mirai botnet ADB DDoS attack botnet is a derivative of the infamous Mirai malware. Mirai gained notoriety in 2016 for recruiting IoT devices into DDoS armies that took down major portions of the internet.
xlabs_v1 is the latest evolution. Hunt.io's discovery of the Mirai botnet ADB DDoS occurred when they came across an open directory requiring no credentials on a server hosted in the Netherlands (176.65.139[.]44). Mirai botnet ADB DDoS also has 21 different types of flood attacks/variants, which are TCP, UDP, and raw protocols. These include UDP flood attacks in the form of RakNet and OpenVPN, etc., which are able to pass through consumer DDoS protection products.
How the Botnet Recruits Devices
The Mirai botnet ADB DDoS IOC was used for recruiting devices, specifically, Android devices with ADB exposed via TCP port 5555. ADB is an API used for debugging and is installed on many Android devices such as TV boxes, set top boxes and smart TVs, which often ship with this API enabled.
The Mirai botnet ADB DDoS uses the following set of steps to infect Android devices:
Step 1: Scanning. The botnet scans the internet for devices with port 5555 open and connects with them. These devices are Android devices that have ADB exposed, accessible via TCP port 5555.
Step 2: ADB Shell Injection. The botnet connects to devices with ADB services and injects shell commands into /data/local/tmp/ on the target devices.
Step 3: Payload Delivery. The botnet then downloads an ARMv7 compiled binary to the infected device. The Mirai botnet DDoS ADB supports a variety of architectures: ARM, MIPS, x86-64, ARC.
Step 4: Execution.The Mirai botnet ADB DDoS attack binary runs and reports back to the command-and-control panel at xlabslover[.]lol.
The Mirai botnet ADB DDoS attack is purpose-built to receive attack commands from the operator and generate floods of junk traffic on demand.
The Bandwidth Pricing Scheme
The Mirai botnet ADB DDoS attack is offered as a DDoS-for-hire service. Paying customers can rent botnet firepower to attack game servers or Minecraft hosts.
What makes this Mirai botnet ADB DDoS attack notable is its bandwidth-profiling routine. Before assigning a compromised device to a pricing tier, the botnet performs the following:
1. Opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server
2. Saturates those sockets for 10 seconds
3. Measures the data transfer rate
4. Reports the bandwidth in megabits per second (Mbps) back to the operator panel
The Mirai botnet ADB DDoS attack operator uses this bandwidth data to assign each compromised device to a pricing tier. Customers pay more for higher-bandwidth devices.
No Persistence Means Reinfections
The Mirai botnet ADB DDoS attack has an unusual characteristic. It does not persist.
Hunt.io found that the Mirai botnet ADB DDoS attack does not write itself to disk persistence locations. It does not modify init scripts. It does not create systemd units. It does not register cron jobs.
Instead, the Mirai botnet ADB DDoS attack exits after sending bandwidth information. The operator must reinfect the device a second time through the same ADB exploitation channel to use it for actual attacks.
Hunt.io explained: "This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent."
The Killer Subsystem
The Mirai botnet ADB DDoS attack includes a "killer" subsystem. This component terminates competing malware families already running on the compromised device.
By killing competitors, the Mirai botnet ADB DDoS attack ensures it has full access to the victim device's upstream bandwidth. No other botnet gets to use the same resources.
This is a common feature in Mirai-derived malware. The Mirai botnet ADB DDoS attack uses it to maximize the bandwidth available for DDoS attacks.
Who Is Behind xlabs_v1?
The Mirai botnet ADB DDoS attack operator goes by the moniker Tadashi. This name appears in a ChaCha20-encrypted string embedded in every build of the botnet.
Researchers do not yet know Tadashi's true identity. However, the Mirai botnet ADB DDoS attack infrastructure is hosted in the Netherlands. Further analysis of the co-located infrastructure revealed a VLTRig Monero-mining toolkit on host 176.65.139[.]42.
It is currently unknown if the same threat actor operates both the Mirai botnet ADB DDoS attack and the Monero miner.
Target: Game Servers
The Mirai botnet ADB DDoS attack is specifically designed to target game servers and Minecraft hosts. The 21 flood variants include protocols commonly used in gaming.
Hunt.io assessed that the Mirai botnet ADB DDoS attack is a mid-tier operation: "In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork, but less sophisticated than the top tier of commercial DDoS-for-hire operations. This operator is competing on price and attack variety, not technical sophistication."
The Mirai botnet ADB DDoS attack targets consumer IoT devices, residential routers, and small game-server operators. These victims are unlikely to have enterprise-grade DDoS protection.
Jenkins Honeypot Attack
The Mirai botnet ADB DDoS attack is not the only DDoS activity in the wild. Darktrace recently reported that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors.
The attackers deployed a DDoS botnet downloaded from a remote server (103.177.110[.]202). They also took steps to evade detection.
Darktrace noted: "The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place."
Affected Devices
The Mirai botnet ADB DDoS attack targets devices with ADB enabled on TCP port 5555. These include:
1. Android TV boxes
2. Set-top boxes
3. Smart TVs with debugging enabled
4. ARM-based IoT devices
5. Residential routers running Android-based firmware
If you own any Android device that connects to the internet and has ADB enabled, the Mirai botnet ADB DDoS attack can recruit it.
How to Protect Your Devices
The Mirai botnet ADB DDoS attack relies on exposed ADB services. Here is how to protect your devices.
1. Turn off ADB on your Android TV box or smart TV. ADB should only be enabled while developing mobile apps. If ADB is disabled, devices cannot be infected by the Mirai ADB DDoS attacks.
2. Disable access to TCP Port 5555 from your router's configuration page. If there are devices using ADB enabled functionality on your network, then disable both inbound connections to TCP Port 5555 and outbound connections to/from the Internet at your Network Perimeter. Mirai ADB DDoS attack utilizes TCP Port 5555 for both scanning devices to attack and exploiting those devices once found.
3. Watch for high levels of outbound Internet traffic from your network. Mirai ADB DDoS traffic will be targeting the domain xlabslover[.]lol so you will want to look for the presence of that domain name on your network traffic and keep an eye out for any unknown devices that may attempt to connect to Speedtest Servers.
4. Update the firmware of your devices. Most manufacturers have turned off ADB by default in later firmware revisions, whereas Mirai ADB DDoS attacks make use of out-of-date and improperly configured devices.
5. Replace unsupported devices. If you have a cheap Android TV box that no longer receives updates, consider replacing it. The Mirai botnet ADB DDoS attack preys on abandoned hardware.
Final Thoughts
The Mirai botnet ADB DDoS attack is not the most sophisticated botnet ever created. But it does not need to be. It finds vulnerable Android TV boxes, smart TVs, and set-top boxes. It recruits them into a DDoS army. It sells that army to anyone who wants to crash game servers.
The Mirai botnet ADB DDoS attack operator, Tadashi, has built a business. Customers pay based on bandwidth. The botnet profiles each device. Pricing tiers ensure high-bandwidth devices generate more revenue.
For consumers, the Mirai botnet ADB DDoS attack is invisible. Your Android TV box works normally. Your smart TV still streams video. But behind the scenes, your device is part of a global DDoS machine, slamming game servers with junk traffic.
Check your devices today. Disable ADB. Block port 5555. Do not let your Android TV box become a weapon.
FAQ Section
Q1: What is this abuse of the xlabs_v1 Mirai botnet (ADB) to launch DDoS attacks?
The xlabs_v1 Mirai botnet (ADB) is a type of malware that uses Android clients with publicly exposed ADB services (TCP port 5555) to build a decentralized DDoS (aka ‘distributed denial of service’) army. Groups using this type of botnet have set up websites advertising DDoS for hire, targeting online gaming and Minecraft hosting services.
Q2: Who is vulnerable to the Mirai botnet (ADB) abusing their devices for DDoS purpose?
Anyone with an Android TV box, set-top box, smart TV or any other IoT (internet of things) device that has ADB available on TCP port 5555 are at risk! The Mirai (ADB) botnet can reassure its users that, not only will their devices be hacked as well as those of players using affected game servers, but they will also have the potential to execute the Mirai (ADB) botnet on almost any device based on the ARM, MIPS, x86-64, or ARC architecture which means that there may also be some residential routers, in addition to the aforementioned devices, which would also be vulnerable to this abuse.
Q3: What is the xLabs_v1 botnet bandwidth profiling technique for DDoS “agents?”
The Mirai (ADB) botnet opens and holds 8,192 active TCP sockets on its nearest Speedtest server concurrently for a period of 10 seconds so that it can saturate the connection and accurately report a TCP throughput rate to the xLabs_v1 operator panel, which is then factored into the pricing model for DDoS attacks by paying clients.
Q4: Is the Mirai botnet ADB DDoS attack still existing after being rebooted?
No, there is no way Mirai botnet ADB DDoS attack can go back and write itself to a disk persistence location, modify/init script, create systemd unit or register through a cron job to continue operating. The operator must reinfect any devices that were previously infected with ADB exploit through the normal ADB channel after each bandwidth profiling run.
Q5: Who Is The Person Behind The xlabs_v1 Mirai Botnet Called ADB DDoS Attack?
This is a person called "Tadashi", because there is a ChaCha20 encrypted string present in every single bot build. The infrastructure is based in The Netherlands. The true identity of the actor/remains unknown.
