GhostSocks Malware Uses SOCKS5 Proxy to Evade Detection Systems

GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, has emerged as a significant threat within the cybercrime ecosystem.

First identified in October 2023 on Russian-language forums, its distribution expanded to English-speaking criminal platforms by mid-2024.

This malware operates as part of a Malware-as-a-Service (MaaS) model, allowing threat actors to exploit compromised systems for financial gain.

Its integration with the LummaC2 information stealer further amplifies its potential, enabling advanced credential abuse and bypassing anti-fraud mechanisms.

The partnership between GhostSocks and LummaC2 was formalized in February 2024, offering features like automatic provisioning through Lumma’s administration panel.

Additionally, discounts for Lumma users have incentivized adoption.

GhostSocks employs anti-sandboxing techniques and obfuscation methods, including the use of tools like Garble and Gofuscator, to evade detection.

These features make it a preferred choice for attackers targeting high-value sectors such as financial institutions.

Technical Mechanisms of GhostSocks

At its core, GhostSocks leverages a SOCKS5 backconnect proxy to reroute network traffic through compromised systems.

{
“buildVersion”: “0pTk.PWh2DyJ”, // <- likely an internal reference to the current build version
“md5”: “bb857552657a9c31e68797e9bd30ac2”, // <- the MD5 hash of the malware on-disk, gathered from GetModuleHandle
“proxyUsername”: “uDoSfUGf”, // <- the SOCKS5 back-connect username to be used
“proxyPassword”: “uDoSfUGf”, // <- The SOCKS5 back-connect password to be used
“userId”: “gpn4wrgAehjlgkUKkN33e4iDkc1OfRHA”, // <- likely to identify the affiliate
}

This approach masks the attacker’s origin and bypasses geographic restrictions and IP-based security measures.

Upon initialization, the malware creates an embedded configuration structure containing hardcoded data and dynamically calculated values.

This configuration is obfuscated and stored locally before establishing communication with its command-and-control (C2) infrastructure.

The malware initiates a relay-based C2 communication process using HTTP APIs.

It queries intermediary servers (Tier 2 relays) to obtain Tier 1 relay IPs and ports, which are used to establish TCP connections for SOCKS5 tunneling.

This allows attackers to exploit the victim’s IP address for fraudulent activities, such as bypassing financial institution security checks.

Infrawatch researchers identified multiple C2s and backconnect hosts associated with GhostSocks across various networks.

Most of these servers operate on ports like 3001 and are hosted on Russian-speaking Virtual Dedicated Server (VDS) providers such as VDSina.

The malware’s reliance on consistent C2 behavioral patterns, such as specific API key error responses, offers defenders an opportunity to track its activity.

Beyond Proxying: Additional Backdoor Capabilities

GhostSocks extends its functionality beyond SOCKS5 proxying by incorporating backdoor capabilities.

These include arbitrary command execution, modification of SOCKS5 credentials, and downloading and executing malicious files.

These features enable attackers to maintain persistent access and further exploit infected systems.

GhostSocks exemplifies the growing commodification of backconnect proxy malware within the cybercrime landscape.

Its seamless integration with LummaC2 and availability via MaaS platforms highlight the increasing sophistication of adversarial tools.

By leveraging behavioral indicators such as unique C2 responses, cybersecurity teams can enhance their defenses against this evolving threat.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here