GhostSocks Malware Uses SOCKS5 Proxy to Evade Detection

EXECUTIVE SUMMARY

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware that has gained traction in cybercriminal circles, particularly through its integration with the LummaC2 information stealer. Initially advertised in Russian-language forums, GhostSocks later appeared on English-speaking platforms, offered as a Malware-as-a-Service. Its functionality allows attackers to monetize compromised systems by establishing proxy connections that mask malicious activities. The malware is particularly threatening to financial institutions and other high-value targets, as it enables attackers to bypass IP-based security controls and geolocation restrictions. GhostSocks’ close relationship with Lumma is evident through automated deployment features and pricing incentives tailored for Lumma users, highlighting a deliberate strategy to enhance post-infection capabilities.[emaillocker id="1283"]

GhostSocks employs advanced obfuscation techniques to evade detection, utilizing tools like Garble and Gofuscator to obscure its code and configuration. Upon execution, it constructs an embedded configuration containing essential operational parameters, including SOCKS5 credentials and a C2 address. The malware communicates with its C2 infrastructure via a relay-based mechanism, where an intermediary server forwards requests to the main C2, complicating attribution and takedown efforts. The initial beaconing process involves HTTP requests that include a pseudo-random authentication key, enabling the malware to register with the C2. The response provides the infected machine with a Tier 1 relay node, establishing a SOCKS5 tunnel that threat actors can exploit. Additionally, GhostSocks features backdoor functionalities, including arbitrary command execution, credential modification, and the ability to download and execute other malicious payloads, further extending its versatility in cyberattacks.

The use of GhostSocks as a SOCKS5 backconnect proxy significantly enhances cybercriminal capabilities, particularly in credential abuse and fraud. By leveraging victims’ IP addresses, attackers can evade detection by financial institutions and security measures that rely on geolocation-based access controls. The majority of its C2 infrastructure operates on VDSina-hosted servers, a trend common among cybercriminal operations. Researchers have identified multiple active C2s, tracking them through feed, which enables proactive blocking and mitigation. Additionally, YARA signature-based detection has been deployed to monitor for indicators of GhostSocks activity. Given its integration with Lumma and its MaaS availability, GhostSocks is likely to remain a persistent threat, particularly for organizations handling sensitive financial data. Its use of relay-based C2s and obfuscation techniques make it challenging to detect, underscoring the importance of continuous monitoring and proactive defense measures against evolving malware threats.

THREAT PROFILE:

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/ghostsocks-malware-exploiting-socks5-proxy/