PTSOCKET (Infostealer) – Malware

Overview

PTSOCKET is a highly specialized malware tool used for file transfer and data exfiltration in cyberattacks. It leverages a customized version of TouchSocket, built on the Duplex Message Transport Protocol (DMTP), to facilitate secure and covert communication between the infected system and the attacker’s command-and-control (C2) infrastructure. The malware has gained notoriety for its ability to exfiltrate data in a multi-threaded manner, making it a powerful asset for cybercriminals seeking to steal sensitive information while avoiding detection.

The primary purpose of PTSOCKET is to act as an efficient data exfiltration tool. Once a system is compromised, PTSOCKET silently transfers files containing valuable information, such as login credentials, system configurations, and other proprietary data. By utilizing DMTP, the malware ensures encrypted and secure communication, which is often indistinguishable from legitimate network traffic, thus evading network monitoring tools. The use of TouchSocket over DMTP also allows PTSOCKET to operate effectively across various environments, making it adaptable to different network infrastructures and security measures.

Targets

Information

How they operate

Upon execution, PTSOCKET begins its operation by establishing a secure connection with a command-and-control (C2) server via DMTP. Unlike other communication protocols that may leave identifiable traces, DMTP’s design helps obfuscate network traffic, ensuring that the exfiltration process remains undetected by network monitoring tools. The malware encrypts its communications, which makes it especially difficult for security systems to flag or block its data transfers. The use of DMTP further enhances the malware’s ability to mimic legitimate traffic patterns, ensuring that its activities are seamlessly integrated with regular network operations.

One of the primary functions of PTSOCKET is its ability to exfiltrate files. It operates in multi-threaded mode, a feature that significantly accelerates the exfiltration process. This means that PTSOCKET can concurrently send multiple files, allowing large volumes of sensitive data to be transferred quickly and efficiently. Multi-threading also helps the malware avoid triggering performance-based red flags, as it distributes the file transfers over separate threads, thus reducing the system’s burden on any single thread or resource. This technique allows PTSOCKET to carry out rapid, high-volume exfiltration with minimal detection risk.

In addition to its multi-threaded file transfer capabilities, PTSOCKET is adept at bypassing security defenses, making it a particularly dangerous tool in advanced persistent threat (APT) campaigns. Once it is deployed on an infected machine, the malware attempts to maintain a low profile by encrypting the data it transfers and using steganography techniques to hide its true purpose. PTSOCKET can be configured to avoid network traffic detection, allowing it to operate for extended periods without raising suspicion. It achieves this by executing under normal system processes, making its activity appear innocuous when observed in a network traffic analysis.

The combination of encrypted communication, multi-threaded exfiltration, and evasion techniques make PTSOCKET highly effective in targeted cyberattacks. It facilitates the continuous extraction of valuable data, often targeting confidential documents, credentials, intellectual property, or other sensitive information that cybercriminals or APT groups can exploit. Its seamless integration into existing network environments and ability to avoid traditional security measures have made it a favored tool for attackers conducting long-term, low-profile campaigns. As such, PTSOCKET serves as a prime example of how modern malware evolves to adapt to sophisticated security measures and the increasing demands for covert data exfiltration.

References

• Earth Preta Evolves its Attacks with New Malware and Strategies