A Golang implementation of Cobalt Strike called Geacon may attract the attention of attackers looking to target Apple macOS systems.
This finding comes from SentinelOne, who observed an increase in the number of Geacon payloads appearing on VirusTotal over the last few months.
Security researchers Phil Stokes and Dinesh Devados said in the report, “While some of these are likely red team operations, others bear the hallmarks of genuine malicious attacks. there are,” he said.
Cobalt Strike is a popular red teaming and adversary simulation tool developed by Fortra. Illegally cracked versions of software have been exploited by threat actors for years due to the myriad of post-exploit features.
While post-exploit activity related to Cobalt Strike has mostly focused on Windows, such attacks against macOS are rare.
In May 2022, software supply chain company Sonatype disclosed details of a malicious Python package called “pymafka” designed to drop Cobalt Strike Beacons on compromised Windows, macOS, and Linux hosts.
But that could change when Geacon artifacts spawn in the wild. Geacon is a Go variant of Cobalt Strike that has been available on GitHub since February 2020.
Further analysis of two new VirusTotal samples uploaded in April 2023 suggests that they originated from two Geacon variants (geacon_plus and geacon_pro).
The geacon_pro project is no longer accessible on GitHub, but an Internet Archive snapshot captured on March 6, 2023 reveals its ability to bypass antivirus engines such as Microsoft Defender, Kaspersky and Qihoo 360 360 Core Crystal. became.
H4de5, the developer of geacon_pro, claims that the tool is primarily designed to support CobaltStrike version 4.1 and above, while geacon_plus supports CobaltStrike version 4.0. The current version of the software is 4.8.
One of the artifacts discovered by SentinelOne, Xu Yiqing’s Resume_20230320.app, uses an execute-only AppleScript to access a remote server and download a Geacon payload. Compatible with both Apple silicon and Intel architecture.
“Unsigned Geacon payloads were obtained from Chinese IP addresses,” the researchers said. “Before starting the beacon activity, the user is presented with his two-page decoy document embedded in the Geacon binary. The PDF is opened and a resume of an individual named “Xu Yiqing” is displayed.
The Geacon binary, compiled from the geacon_plus source code, is packed with features that facilitate downloading the next stage payload, extracting data, and facilitating network communication.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
According to the cybersecurity firm, the second sample is embedded within a trojanized app masquerading as the SecureLink remote support app (SecureLink.app) and primarily targets Intel devices.
The bare-bones, unsigned application asks the user for permission to access contacts, photos, reminders, and the device’s camera and microphone. Its main component is a Geacon payload built from the geacon_pro project that connects to a known command and control (C2) server in Japan.
This development comes as the macOS ecosystem has been targeted by various threat actors, including state-backed groups, to introduce backdoors and information-stealing methods.
“The increase in Geacon samples in recent months suggests that security teams should take note of this tool and ensure protection is in place.”
