Threat actors looking to target Apple macOS systems are turning their attention to Geacon, a Golang implementation of the popular red teaming tool Cobalt Strike.
Security researchers at SentinelOne have observed an increase in Geacon payloads appearing on VirusTotal, with some showing characteristics of genuine malicious attacks. While Cobalt Strike has predominantly targeted Windows systems, Geacon’s emergence poses a new risk to macOS.
Geacon, a Go variant of Cobalt Strike, has been available on GitHub since February 2020. Analysis of two recent VirusTotal samples traced them back to Geacon variants developed by anonymous Chinese developers. Geacon Plus and Geacon Pro were created to support different versions of CobaltStrike. Geacon Pro, no longer accessible on GitHub, boasted the ability to bypass antivirus engines.
SentinelOne discovered artifacts related to Geacon, including a sample called “Xu Yiqing’s Resume_20230320.app.” This app uses a run-only AppleScript to download a Geacon payload from a Chinese IP address.
Before initiating its malicious activities, the user is presented with a decoy document embedded in the Geacon binary. The Geacon binary performs functions such as downloading payloads, exfiltrating data, and facilitating network communications.
Another Geacon sample masquerades as the SecureLink remote support app and primarily targets Intel devices. This trojanized app requests access to various permissions, including contacts, photos, and device components like the camera and microphone.
It contains a Geacon payload that connects to a command-and-control server in Japan.
The increase in Geacon samples highlights the need for security teams to pay attention to this tool and implement adequate protections, as the macOS ecosystem faces growing threats from various actors seeking to deploy backdoors and information stealers.
