GhostSocks - Partner In Proxy
Essential information
- Published
- 25/02/2025 13:58
- Modified
- 25/02/2025 14:43
- Tags
- 2025-02-25 anti-fraud bypass backconnect proxy c2 infrastructure credential abuse ghostsocks golang lummac2 malware-as-a-service socks5 vdsina
- Related entities
- 17 observables, 8 techniques (mitre), 2 malware, 1 others
Description
GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic through infected systems. The malware's integration with Lumma, including automatic provisioning and discounted pricing, enhances post-infection capabilities for credential abuse and anti-fraud bypassing. GhostSocks contains additional backdoor functionality, such as arbitrary command execution and credential modification. Its C2 infrastructure largely operates on VDSina (AS216071), a Russian-speaking server provider. The malware exemplifies the commodification of SOCKS5 backconnect malware in the criminal ecosystem, posing a significant threat to financial institutions and high-value targets.