GhostSocks Malware Can Slip Past Detection Systems

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI  have issued a joint cyber security advisory on the growing threat of Ghost ransomware.  

A variation of this strain of malware called GhostSocks is using SOCKS5 to bypass anti-fraud mechanisms and geographic restrictions.

First detected in 2021, this ransomware group has targeted organisations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.

GhostSocks operates as a Malware-as-a-Service model, distributed alongside the LummaC2 infostealer. The new variant malware, first advertised on Russian-language forums in October 2023, has recently expanded to include English-speaking cyber criminals, offering attackers a  sophisticated method to monetise compromised systems through credential abuse and residential proxy networks.

The malware’s connection with Lumma allows automatic provisioning to infected systems, creating a symbiotic relationship that enhances post-exploitation capabilities. For a licencing fee of $150 in Bitcoin, threat actors gain access to customisable builds of GhostSocks, which include obfuscation techniques such as the Garble which are designed to frustraye analysis.

The malware’s primary function is establishing SOCKS5 back-connect proxies, enabling attackers to route traffic through compromised devices. This method masks the origin of malicious activities, allowing attackers to circumvent IP-based security controls employed by financial institutions and other high-value targets.

GhostSocks employs a relay-based command-and-control (C2) infrastructure, utilising Tier 1 and Tier 2 servers to obscure communication. Attackers can exploit these tunnels to route traffic through victims’ IP addresses, bypassing geolocation filters. Researchers at security firm Infrawatch have identified critical C2 infrastructure hosted on VDSina (AS216071), a UAE-based provider known for hosting commercial VPNs and proxy services.

Ghost actors began attacking victims whose Internet facing services ran outdated versions of software and firmware since 2021. This widespread targeting of networks containing vulnerabilities has led to the compromise of organisations internationally, including organisations in China. 

Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small and medium sized businesses.

CISA   |   Cybersecurity News   |   GBHackers   |    Malpedia   |   JDSupra   |   DFIR Report

Image: Unsplash

You Might Also Read: 

Remote Deletion Of Malware Enforced On Thousands Of Computers:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Getting Ready To Stop Ransomware Attacks
Australian Government Bans Kaspersky »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Arcitura Education

Arcitura Education

Arcitura is a leading global provider of progressive, vendor-neutral IT training and certification programs.

Authenware

Authenware

AuthenWare delivers the highest level of identity security based on behavioral biometrics.

Boxcryptor

Boxcryptor

Boxcryptor encrypts your sensitive files before uploading them to cloud storage services.

CERT Syria

CERT Syria

CERT Syria is the national Computer Emergency Response Team for Syria.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

Database Cyber Security Guard

Database Cyber Security Guard

Database Cyber Security Guard (aka Don't Be Breached) informs Security Professionals and DBAs of Zero Day, Ransomware and Data Breach attacks within milli-seconds

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

Mainstream Technologies

Mainstream Technologies

Mainstream Technologies is an information technology services firm specializing in custom software development, managed IT services, cybersecurity services and hosting.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Wib

Wib

Wib is an API security leader. We are the only company providing a solution for the entire API development lifecycle.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Alset Technologies

Alset Technologies

Alset Technologies provides DASH - a comprehensive solution to DISA STIG (Security Technical Implementation Guide) compliance.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.