GhostSocks Malware Uses SOCKS5 Proxy to Evade Detection Systems

GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, has emerged as a significant threat within the cybercrime ecosystem.

First identified in October 2023 on Russian-language forums, its distribution expanded to English-speaking criminal platforms by mid-2024.

This malware operates as part of a Malware-as-a-Service (MaaS) model, allowing threat actors to exploit compromised systems for financial gain.

Its integration with the LummaC2 information stealer further amplifies its potential, enabling advanced credential abuse and bypassing anti-fraud mechanisms.

The partnership between GhostSocks and LummaC2 was formalized in February 2024, offering features like automatic provisioning through Lumma’s administration panel.

Additionally, discounts for Lumma users have incentivized adoption.

GhostSocks employs anti-sandboxing techniques and obfuscation methods, including the use of tools like Garble and Gofuscator, to evade detection.

These features make it a preferred choice for attackers targeting high-value sectors such as financial institutions.

Technical Mechanisms of GhostSocks

At its core, GhostSocks leverages a SOCKS5 backconnect proxy to reroute network traffic through compromised systems.

{
“buildVersion”: “0pTk.PWh2DyJ”, // “md5”: “bb857552657a9c31e68797e9bd30ac2”, // “proxyUsername”: “uDoSfUGf”, // “proxyPassword”: “uDoSfUGf”, // “userId”: “gpn4wrgAehjlgkUKkN33e4iDkc1OfRHA”, // }

This approach masks the attacker’s origin and bypasses geographic restrictions and IP-based security measures.

Upon initialization, the malware creates an embedded configuration structure containing hardcoded data and dynamically calculated values.

This configuration is obfuscated and stored locally before establishing communication with its command-and-control (C2) infrastructure.

The malware initiates a relay-based C2 communication process using HTTP APIs.

It queries intermediary servers (Tier 2 relays) to obtain Tier 1 relay IPs and ports, which are used to establish TCP connections for SOCKS5 tunneling.

This allows attackers to exploit the victim’s IP address for fraudulent activities, such as bypassing financial institution security checks.

Infrawatch researchers identified multiple C2s and backconnect hosts associated with GhostSocks across various networks.

Most of these servers operate on ports like 3001 and are hosted on Russian-speaking Virtual Dedicated Server (VDS) providers such as VDSina.

The malware’s reliance on consistent C2 behavioral patterns, such as specific API key error responses, offers defenders an opportunity to track its activity.

Beyond Proxying: Additional Backdoor Capabilities

GhostSocks extends its functionality beyond SOCKS5 proxying by incorporating backdoor capabilities.

These include arbitrary command execution, modification of SOCKS5 credentials, and downloading and executing malicious files.

These features enable attackers to maintain persistent access and further exploit infected systems.

GhostSocks exemplifies the growing commodification of backconnect proxy malware within the cybercrime landscape.

Its seamless integration with LummaC2 and availability via MaaS platforms highlight the increasing sophistication of adversarial tools.

By leveraging behavioral indicators such as unique C2 responses, cybersecurity teams can enhance their defenses against this evolving threat.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!