GhostSocks, a Golang-based malware leveraging SOCKS5 backconnect proxy technology, has emerged as a significant tool in the cybercriminal ecosystem.
First identified in October 2023 on Russian-language forums and later expanded to English-speaking forums in mid-2024, this malware operates as part of a Malware-as-a-Service (MaaS) model.
It is closely integrated with LummaC2, an information stealer, enhancing its capability to bypass anti-fraud systems and exploit compromised systems for credential abuse.
The partnership between GhostSocks and LummaC2 was formalized in February 2024, enabling automatic provisioning of GhostSocks through Lumma’s administrative panel.
This integration offers attackers seamless deployment and discounted access, further solidifying its role in post-infection monetization strategies.
By routing traffic through victims’ internet connections, GhostSocks effectively circumvents geographic restrictions and IP-based security measures, making it particularly valuable for targeting financial institutions and other high-value entities.
Command-and-Control Mechanisms
GhostSocks employs advanced obfuscation techniques, such as the Go obfuscator Garble and inline XOR-based string deobfuscation, to evade detection.
Upon execution, it initializes an embedded configuration structure containing hardcoded data and dynamically calculated values.
This configuration is encoded into a JSON object, obfuscated, and stored locally.
The malware then establishes communication with its command-and-control (C2) infrastructure using a relay-based architecture.
The initial beaconing process involves HTTP GET requests to intermediary servers that relay traffic between the infected system and the primary C2 server.
Authentication relies on pseudo-random alphanumeric strings rather than values tied to the malware’s configuration.
Once authenticated, the C2 responds with an IP address and port pair for establishing a SOCKS5 backconnect tunnel.
This setup allows attackers to route their traffic through the victim’s system, masking their true origin.
Infrawatch researchers identified multiple Tier 1 relay nodes and C2 servers used by GhostSocks.
These servers are predominantly hosted on Russian-speaking infrastructure providers such as VDSina (AS216071), which also supports commercial VPN services.
The use of shared infrastructure highlights the commodification of such tools within the cybercrime ecosystem.
Expanded Functionality Beyond Proxies
In addition to its primary SOCKS5 proxy capabilities, GhostSocks includes backdoor functionalities that enhance its operational scope:
- Arbitrary Command Execution: Executes commands sent by the C2 server.
- Credential Modification: Allows attackers to update SOCKS5 credentials dynamically.
- Executable Deployment: Downloads and executes arbitrary files on infected systems.
These features make GhostSocks a versatile tool for post-exploitation activities.
GhostSocks exemplifies the growing sophistication of MaaS offerings and their integration into broader cybercriminal operations.
Its ability to evade detection through obfuscation and relay-based C2 communication poses challenges for traditional security mechanisms.
However, defenders can leverage behavioral indicators such as consistent error responses tied to X-Api-Key headers to identify and block malicious infrastructure proactively.
By tracking GhostSocks’ C2 activity alongside legitimate proxy services, organizations can strengthen their defenses against this evolving threat.
