A new malware strain dubbed GhostSocks is leveraging SOCKS5 backconnect proxies to bypass anti-fraud mechanisms and geographic restrictions, according to a report by cybersecurity firm Infrawatch.
The Golang-based malware, first advertised on Russian-language forums in October 2023, has recently expanded to English-speaking cybercriminal communities, offering attackers a streamlined method to monetize compromised systems through credential abuse and residential proxy networks.
GhostSocks operates as a Malware-as-a-Service (MaaS) model, distributed alongside the LummaC2 infostealer.
The malware’s integration with Lumma allows automatic provisioning to infected systems, creating a symbiotic relationship that enhances post-exploitation capabilities.
For a licensing fee of $150 in Bitcoin, threat actors gain access to customizable builds of GhostSocks, which include obfuscation techniques such as the Garble and Gofuscator tools to hinder analysis.
GhostSocks MaaS Login Panel (Source – Infrawatch)
The malware’s primary function is establishing SOCKS5 backconnect proxies, enabling attackers to route traffic through compromised devices.
This method masks the origin of malicious activities, allowing attackers to circumvent IP-based security controls employed by financial institutions and other high-value targets.
Infrawatch researchers identified a sample from February 2024 (SHA-256: c92b21bdb91fe4c0590212e650212528alf608a2ea086ce5eb5ac6d05edc41f7) that uses embedded JSON configurations for dynamic credential management.
{ “buildVersion”: “0pTk.PWh2DyJ”, “md5”: “bb857552657a9c31e68797e9bd30ac2”, “proxyUsername”: “uDoSfUGf”, “proxyPassword”: “uDoSfUGf”, “userId”: “gpn4wrgAehjlgkUKkN33e4iDkc10fRHA” }
Technical Mechanisms and Infrastructure
GhostSocks employs a relay-based command-and-control (C2) infrastructure, utilizing Tier 1 and Tier 2 servers to obscure communication.
Initial beaconing occurs via HTTP GET requests to endpoints such as /api/helper-first-register, with mandatory X-Api-Key headers containing 8-character alphanumeric strings (Fm2qKy29).
Failed authentication triggers a 403 Forbidden response with the body Forbidden: Invalid API Key, a signature used by Infrawatch to track C2 nodes.
The malware connects to Tier 1 relay servers (185.21.13[.]144:30820) to establish SOCKS5 tunnels.
Attackers leverage these tunnels to route traffic through victims’ IP addresses, bypassing geolocation filters. Infrawatch identified critical C2 infrastructure hosted on VDSina (AS216071), a UAE-based provider known for hosting commercial VPNs and proxy services.
Beyond proxy functionality, GhostSocks includes backdoor modules for arbitrary command execution (cmd.exe /C), credential rotation, and payload delivery. These features are controlled via command IDs (5 for shell access), enabling attackers to maintain persistence and adapt to defensive measures.
Infrawatch’s YARA rule detects GhostSocks C2 traffic by targeting port 30001 and HTTP header hashes:-
rule GhostSocks { condition: http.port == 30001 and http.body == “Forbidden: Invalid API Key” and http.headers_hash == “86362ac6d972b1b55f1f434811d014316196f0e193878d8270dae939efb25908” }
The firm advises organizations to monitor the IOCs, including IPs like 91.142.74[.]28 and 195.200.28[.]33, and block traffic to AS216071.
