A newly identified Android botnet has infected over 1.8 million devices and can launch massive distributed denial-of-service (DDoS) attacks, Chinese cybersecurity firm XLab warns.
Dubbed Kimwolf, the botnet has proxy forwarding, reverse shell, and file management capabilities.
The threat appears linked to Aisuru, the TurboMirai-class IoT botnet recently blamed for a record-breaking 29.7 Tbps DDoS attack.
Kimwolf, XLab says, is mainly focused on traffic proxying, but was observed issuing over 1.7 billion DDoS attack commands between November 19 and 22.
This pushed its command-and-control (C&C) domain, 14emeliaterracewestroxburyma02132[.]su, to the top position in Cloudflare’s global domain popularity rankings, surpassing google.com.
The malware, the cybersecurity firm says, relies on the DNS over TLS (DoT) protocol to encapsulate DNS requests and evade detection, and uses a signature verification mechanism to validate communication instructions.
Kimwolf mainly infects Android TV set-top boxes deployed on residential networks, with the ensnared devices distributed across more than 220 countries and regions.
Due to dynamic IP allocation mechanisms and the global spread of the infected devices, the actual size of the botnet is not known.
According to XLab, C&C domains associated with the botnet have been taken down by third parties at least three times, which forced its developers to harden the infrastructure using ENS (Ethereum Name Service) domains.
The cybersecurity firm says it believes the botnet has been involved in at least two large-scale DDoS attacks, including the near-30 Tbps incident flagged earlier this month.
While multiple recent massive DDoS attacks were attributed to Aisuru, XLab believes that Kimwolf might have been the lead botnet in these incidents.
“Although we cannot directly measure it, through observations of two large-scale DDoS events and a horizontal comparison with Aisuru, we believe Kimwolf’s attack capability is close to 30Tbps,” XLab notes.
The Chinese firm has analyzed multiple Kimwolf samples collected since October, uncovering the malware’s connection with Aisuru, links to the ByteConnect SDK monetization solution, and multiple references to the cybersecurity journalist Brian Krebs that the Kimwolf developer left in the code.
Related: Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps
Related: ShadowV2 DDoS Service Lets Customers Self-Manage Attacks
Related: New ‘Broadside’ Botnet Poses Risk to Shipping Companies
