GhostSocks Malware Can Slip Past Detection Systems

Uploaded on 2025-02-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI  have issued a joint cyber security advisory on the growing threat of Ghost ransomware.  

A variation of this strain of malware called GhostSocks is using SOCKS5 to bypass anti-fraud mechanisms and geographic restrictions.

First detected in 2021, this ransomware group has targeted organisations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.

GhostSocks operates as a Malware-as-a-Service model, distributed alongside the LummaC2 infostealer. The new variant malware, first advertised on Russian-language forums in October 2023, has recently expanded to include English-speaking cyber criminals, offering attackers a  sophisticated method to monetise compromised systems through credential abuse and residential proxy networks.

The malware’s connection with Lumma allows automatic provisioning to infected systems, creating a symbiotic relationship that enhances post-exploitation capabilities. For a licencing fee of $150 in Bitcoin, threat actors gain access to customisable builds of GhostSocks, which include obfuscation techniques such as the Garble which are designed to frustraye analysis.

The malware’s primary function is establishing SOCKS5 back-connect proxies, enabling attackers to route traffic through compromised devices. This method masks the origin of malicious activities, allowing attackers to circumvent IP-based security controls employed by financial institutions and other high-value targets.

GhostSocks employs a relay-based command-and-control (C2) infrastructure, utilising Tier 1 and Tier 2 servers to obscure communication. Attackers can exploit these tunnels to route traffic through victims’ IP addresses, bypassing geolocation filters. Researchers at security firm Infrawatch have identified critical C2 infrastructure hosted on VDSina (AS216071), a UAE-based provider known for hosting commercial VPNs and proxy services.

Ghost actors began attacking victims whose Internet facing services ran outdated versions of software and firmware since 2021. This widespread targeting of networks containing vulnerabilities has led to the compromise of organisations internationally, including organisations in China. 

Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small and medium sized businesses.

CISA   |   Cybersecurity News   |   GBHackers   |    Malpedia   |   JDSupra   |   DFIR Report

Image: Unsplash

You Might Also Read: 

Remote Deletion Of Malware Enforced On Thousands Of Computers:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Getting Ready To Stop Ransomware Attacks
Australian Government Bans Kaspersky »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TNO Cyber Security Lab

TNO Cyber Security Lab

TNO Cyber Security Lab is a dedicated facility for innovative and experimental research with the goal of a safe and resilient cyberspace.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

Communications Security Establishment (CSE)

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, providing the Government of Canada with IT Security and foreign signals intelligence (SIGINT) services.

AppViewX

AppViewX

AppViewX is a global leader in the management, automation and orchestration of network services in data centers.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

Samurai Digital Consulting

Samurai Digital Consulting

Samurai Digital Security are a cyber and Information security services provider, specialising in penetration testing, incident response, user awareness and information governance solutions.

JaCIRT

JaCIRT

JaCIRT is the national Cyber Incident Response Team for Jamaica, established to deliver on the mandate outlined in the GoJ’s National Cyber Security Strategy.

Trusted Technologies and Solutions (TTS)

Trusted Technologies and Solutions (TTS)

TTS is a security consulting company specialised on business continuity and crisis management, information security management, information risk management and identity and access management.

Suridata

Suridata

Suridata’s SaaS Security platform enables organizations to secure the use of SaaS applications.

Akto

Akto

Akto, the plug & play API security platform. Discover your APIs, run tests and find business logic vulnerabilities at ludicrous speed.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.

Lupasafe

Lupasafe

Lupasafe is an all-in-one cybersecurity platform for MSPs and SMEs. See all your cyber risks: From training to phishing, darkweb scans, continuous tech monitoring, AI insights, reporting & compliance.

TR-CERT (USOM)

TR-CERT (USOM)

TR-CERT (Ulusal Siber Olaylara Müdahale Merkezi - USOM) is the national Computer Emergency Response Team of Turkey.