Attackers Target macOS With 'Geacon' Cobalt Strike Tool

Threat actors seen using Go-language implementation of the red-teaming tool on Intel and Apple silicon-based macOS systems.

4 Min Read
woman standing and holding an Apple MacBook Pro laptop computer
Source: Farknot Architect via Shutterstock

Heads up: threat actors are now deploying a Go-language implementation of Cobalt Strike called Geacon that first surfaced on GitHub four years ago and had remained largely under the radar.

They are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms the past few years.

Security researchers at SentinelOne reported the activity this week after spotting several Geacon payloads appearing on VirusTotal in recent months. SentinelOne's analysis of the samples showed some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.

One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled "Xu Yiqing's Resume_20230320.app" that downloads an unsigned Geacon payload from a malicious server with a China-based IP address.

SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.

"The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads, and exfiltrating data," SentinelOne said.

In another instance, SentinelOne discovered a Geacon payload embedded in a fake version of the SecureLink enterprise remote-support application. The payload appeared in VirusTotal on April 11 and targeted only Intel-based macOS systems. Unlike the previous Geacon sample, SentinelOne found the second one to be a bare-bones, unsigned application likely built with an automated tool. The app required the user to grant access to the device camera, microphone, administrator privileges, and other settings typically protected under macOS's Transparency, Consent, and Control framework. In this instance, the Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.

"This is not the first time we have seen a Trojan masquerading as SecureLink with an embedded open-source attack framework," SentinelOne said. The security vendor pointed to its discovery last September of an open-source attack framework for macOS called Sliver embedded with a fake SecureLink as another example. "[Its] a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors," SentinelOne said.

Sudden Interest

Attackers have long used Cobalt Strike for a variety of malicious post-exploit activities on Windows systems including for establishing command-and-control, lateral movement, payload generation, and exploit delivery. There have been instances where attackers have occasionally used Cobalt Strike to target macOS as well. One example is a typosquatting attack last year where a threat actor attempted to deploy Cobalt Strike on Windows, Linux, and macOS systems by uploading a malicious package dubbed "pymafka" to the PyPI register.

In other instances, attackers have also used a macOS focused red-teaming tool called Mythic as part of their attack chains.

The activity involving Geacon itself started shortly after an anonymous Chinese researcher using the handle "z3ratu1" released two Geacon forks last October — one private and likely for sale called "geacon_pro" and the other public, called geacon-plus. The pro version includes some additional features like anti-virus bypassing and anti-kill capabilities, says Tom Hegel, senior threat researcher at SentinelOne.

He ascribes the sudden attacker interest in Geacon to a blog that z3ratu1 posted describing the two forks and his attempts to market his work. The original Geacon project itself was largely for protocol analysis and reverse engineering purposes, he says.

Mac Attacks

The growing malicious use of Geacon fits in with a broader pattern of growing attacker interest in macOS systems.

Earlier this year, researchers at Uptycs reported on a novel new Mac malware sample dubbed "MacStealer" that, in keeping with its name, stole documents, iCloud keychain data, browser cookies, and other data from Apple users. In April, the operators of "Lockbit " became the first major ransomware actor to develop a Mac version of their malware, setting the stage for others to follow. And last year, North Korea's notorious Lazarus Group become among the first known state-backed groups to begin targeting Apple Macs.

SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights