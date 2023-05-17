



Note: Threat actors are currently deploying a Golang implementation of Cobalt Strike called Geacon. This implementation first appeared on his GitHub four years ago and was largely unknown.

They are targeting macOS systems using red teaming and attack simulation tools in much the same way that they have used Cobalt Strike for post-exploitation activities on the Windows platform for the past few years.

Security researchers at SentinelOne reported this activity this week after discovering multiple Geacon payloads that have appeared on VirusTotal over the past few months. Analysis of the samples by SentinelOne indicated that some were likely related to legitimate corporate red team exercises, while others appeared to be artifacts of malicious activity.

One of the malicious samples submitted to VirusTotal on April 5 called ‘Xu Yiqing’s Resume_20230320.app’ downloads an unsigned Geacon payload from a malicious server with a China-based IP address. The title AppleScript applet.

SentinelOne found this application compiled for macOS systems running on Apple or Intel silicon. The applet contains logic to determine the architecture of a particular macOS system and allow that device to download his specific Geacon payload. The compiled Geacon binary itself contains an embedded PDF in which the resume of an individual named Xu Yiqing is first displayed before sending a beacon to a command and control (C2) server.

“Compiled Geacon binaries have numerous functions for tasks such as network communication, encryption, decryption, downloading further payloads, and extracting data,” SentinelOne said.

In another example, SentinelOne discovered a Geacon payload embedded in a fake version of the SecureLink enterprise remote support application. This payload he appeared on VirusTotal on April 11th and targeted only Intel-based macOS systems. Unlike his previous Geacon sample, SentinelOne found his second sample to be a bare-bones unsigned application, presumably built with automated tools. The app required the user to grant access to the device’s camera, microphone, administrative privileges, and other settings typically protected by the macOS Transparency, Consent, and Control framework. In this example, the Geacon payload communicated with his known Cobalt Strike C2 server with an IP address based in Japan.

“This is not the first time we have seen a Trojan masquerading as SecureLink that incorporates an open source attack framework,” SentinelOne said. This security his vendor pointed out that as another example, an open-source attack framework for macOS called Sliver with a fake SecureLink embedded in it was discovered last September. ”[Its] This is a reminder to everyone that enterprise Macs are now being extensively targeted by a variety of threat actors,” said SentinelOne.

sudden interest

Attackers have long used Cobalt Strike for a variety of malicious post-exploit activities on Windows systems, including establishing command and control, lateral movement, payload generation, and exploit delivery. There have been instances where attackers occasionally used Cobalt Strike to target macOS as well. An example of this is last year’s typosquatting attack. In this attack, the attacker attempted to deploy her Cobalt Strike on Windows, Linux, and macOS systems by uploading a malicious package called “pymafka” to her PyPI register.

In other instances, attackers used a macOS-focused red team tool called Mythic as part of their attack chain.

The activity involving Geacon itself began shortly after an anonymous Chinese researcher using the handle “z3ratu1” released two Geacon forks last October. One is likely to be sold privately called “geacon_pro” and he already has one for the public called geacon-plus. According to Tom Hegel, senior threat researcher at SentinelOne, the Pro version includes some additional features such as antivirus bypass and anti-kill features.

He attributes the attackers’ sudden interest in Geacon to a blog posted by z3ratu1 describing two forks and attempts to market his work. The original Geacon project itself was primarily intended for protocol analysis and reverse engineering, he says.

mac attack

The increasing malicious use of Geacon fits a broader pattern of increasing attacker interest in macOS systems.

Earlier this year, Uptycs researchers reported on a new Mac malware sample called “MacStealer.” As the name suggests, it stole documents, iCloud Keychain data, his browser cookies and other data from an Apple user. In April, the Lockbit operator became the first major ransomware actor to develop his Mac version of the malware, readying others to follow suit. And last year, North Korea’s infamous Lazarus group became one of the first state-backed groups to start targeting Apple Macs.

SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads.

