GhostSocks - Partner In Proxy

Feb. 25, 2025, 2:43 p.m.

Description

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic through infected systems. The malware's integration with Lumma, including automatic provisioning and discounted pricing, enhances post-infection capabilities for credential abuse and anti-fraud bypassing. GhostSocks contains additional backdoor functionality, such as arbitrary command execution and credential modification. Its C2 infrastructure largely operates on VDSina (AS216071), a Russian-speaking server provider. The malware exemplifies the commodification of SOCKS5 backconnect malware in the criminal ecosystem, posing a significant threat to financial institutions and high-value targets.

External References

https://infrawatch.app/blog/ghostsocks-lummas-partner-in-proxy
https://otx.alienvault.com/pulse/67bdcc6d3e9fb0c20b7b2299
Tags
lummac2
malware-as-a-service
golang
c2 infrastructure
socks5
ghostsocks
2025-02-25
credential abuse
anti-fraud bypass
backconnect proxy
vdsina

Date

  • Created: Feb. 25, 2025, 1:58 p.m.
  • Published: Feb. 25, 2025, 1:58 p.m.
  • Modified: Feb. 25, 2025, 2:43 p.m.

Indicators

  • c92b21bdb91fe4c0590212e650212528a1f608a2ea086ce5eb5ac6d05edc41f7
  • 86362ac6d972b1b55f1f434811d014316196f0e193878d8270dae939efb25908
  • 77.238.245.11
  • 38.180.61.247
  • 212.34.130.72
  • 195.200.31.22
  • 195.200.28.33
  • 185.21.13.144
  • 185.157.213.253
  • 185.245.106.67
  • 185.121.233.152
  • 46.8.236.61
  • 46.8.232.106
  • 91.142.74.28
  • 77.238.245.233
  • 77.238.224.56
  • 195.2.70.38
Download all indicators here!

Attack Patterns

  • GhostSocks
  • LummaC2

Additional Informations

  • Finance