GhostSocks: From Initial Access to Residential Proxy

Description

GhostSocks is a Malware-as-a-Service (MAAS) that converts compromised devices into residential proxies, enabling threat actors to bypass anti-fraud mechanisms. Introduced in October 2023, it gained popularity after partnering with LummaStealer in February 2024. The malware, coded in Golang, uses obfuscation techniques and can be built as a 32-bit DLL or executable. It doesn't implement persistence mechanisms but focuses on SOCKS5 functionality. GhostSocks uses a configuration file or hardcoded config to connect to C2 servers, randomly generates credentials, and establishes a SOCKS5 connection using open-source libraries. Despite law enforcement actions against related platforms, GhostSocks continues to operate, posing ongoing risks of double victimization and long-term network access for cybercriminals.