A new Cobalt Strike implementation, called Geacon, written in Golang, has attracted the attention of cyber threat actors who are now using it to target vulnerable macOS devices. Geacon is a port of Cobalt Strike, a well-known red teaming and adversary simulation tool created by Fortra that has been misused over the years by threat actors through illegally cracked versions of the software. While Cobalt Strike has mostly targeted Windows post-exploitation activity, attacks against macOS are uncommon. Geacon first surfaced on GitHub as a promising Cobalt Strike port, but it didn’t draw much hacker interest until two forks, Geacon Plus (a free and publicly accessible version) and Geacon Pro (a private, paid version), were uploaded on GitHub by unidentified Chinese developers.
According to SentinelOne, which recently detected an increase in the number of Geacon payloads that have been detected on VirusTotal, the Geacon fork was also added to the 404 Starlink project, a public GitHub repository dedicated to red-team pen-testing tools. This addition may have contributed to the Geacon fork’s rise in popularity and attracted users with malicious intent. SentinelOne discovered two instances of Geacon deployment in VirusTotal submissions on April 5 and April 11. The first instance is an AppleScript applet file that checks if a macOS system is supported before downloading an unsigned Geacon Plus payload from a command and control server with a Chinese IP address. The downloaded file is then integrated into the Geacon binary after showing the user a two-page decoy document. The second payload is a trojanized version of the SecureLink application used for secure remote support, which includes a copy of Geacon Pro.
While it is possible that some of the activity around Geacon is legitimate red team use, researchers warn that it is also possible that genuine threat actors will make use of the public and private forks of Geacon now available to them. They advise enterprise security teams to use attack simulation tools like Cobalt Strike and Geacon to test and improve their security posture.
In summary, the rise of Geacon, a new Cobalt Strike implementation, has caught the attention of threat actors looking to target vulnerable macOS devices. SentinelOne expects this trend to continue as Geacon gains popularity among hackers. Enterprises are advised to use attack simulation tools like Cobalt Strike and Geacon to test their security posture against potential cyber attacks.