Threat actors have begun deploying Geacon, a Go-language implementation of Cobalt Strike that surfaced on GitHub four years ago and remained largely under the radar. The attackers are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms in recent years. Security researchers at SentinelOne first reported the activity and spotted several Geacon payloads appearing on VirusTotal in recent months. SentinelOne’s analysis of the samples showed that some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.

One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled “Xu Yiqing’s Resume_20230320.app” that downloads an unsigned Geacon payload from a malicious server with a China-based IP address. SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.

Another instance where Geacon payload was found was embedded in a fake version of the SecureLink enterprise remote-support application. The payload appeared in VirusTotal on April 11 and targeted only Intel-based macOS systems. Unlike the previous Geacon sample, SentinelOne found the second one to be a bare-bones, unsigned application likely built with an automated tool. The app required the user to grant access to the device camera, microphone, administrator privileges, and other settings typically protected under macOS’s Transparency, Consent, and Control framework. In this instance, the Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.

The growing malicious use of Geacon fits in with a broader pattern of growing attacker interest in macOS systems. Earlier this year, researchers at Uptycs reported on a novel new Mac malware sample dubbed “MacStealer”. The malware stole documents, iCloud keychain data, browser cookies, and other data from Apple users. In April, the operators of “Lockbit ” became the first major ransomware actor to develop a Mac version of their malware, setting the stage for others to follow. Last year, North Korea’s notorious Lazarus Group become among the first known state-backed groups to begin targeting Apple Macs.

Geacon, in particular, is catching the attention of attackers due to a blog that z3ratu1 posted describing the two forks and his attempts to market his work, according to Tom Hegel, senior threat researcher at SentinelOne. The original Geacon project itself was largely for protocol analysis and reverse engineering purposes.

SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads. The indicators could include the detection of unsigned and bare-bones applications, as well as identifying whether an application is trying to download a payload from a malicious server. Additionally, as Mac users become more aware of the vulnerabilities of their systems and attackers become more sophisticated, it is crucial for organizations and individuals to update their operating systems regularly and install security software to protect themselves against such attacks.

Lidhja e burimit