Hackers Use the Golang Variant of Cobalt Strike to Target Apple macOS Systems
Golang’s implementation of Cobalt Strike called Geacon is likely to catch the attention of threat actors looking to target Apple macOS systems.
This finding comes from SentinelOne, which observed an increasing number of Geacon payloads appearing on VirusTotal in recent months.
“While some of these are likely red team operatives, others have the characteristics of a true rogue attack,” security researchers Phil Stokes and Dinesh Devadoss said in a report.
Cobalt Strike is a simulation tool of the red team and famous enemies developed by Fortra. Due to its many post-exploit capabilities, illegally hacked versions of software have been abused by threat actors for years.
While the post-exploit activity associated with Cobalt Strike mainly favors Windows, such attacks against macOS are rare.
In May 2022, software supply chain company Sonatype disclosed details of an evil Python package called “pymafka” designed to drop the Cobalt Strike Beacon onto compromised Windows, macOS, and Linux hosts.
However, that might change with the appearance of the Geacon artifact in the wild. Geacon is a Go variant of the existing Cobalt Strike available on GitHub since February 2020.
Further analysis of two new VirusTotal samples uploaded in April 2023 has traced its origins to two Geacon variants (geacon_plus And geacon_pro) developed in late October by two anonymous Chinese developers z3ratu1 and H4de5.
The geacon_pro project is no longer accessible on GitHub, but an Internet Archive snapshot taken on March 6, 2023 reveals its ability to bypass antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.
H4de5, the developer behind geacon_pro, claims that the tool is primarily designed to support CobaltStrike version 4.1 and above, whereas geacon_plus supports CobaltStrike version 4.0. That current version software is 4.8.
Resume_20230320.app Xu Yiqing, one of the artifacts found by SentinelOne, uses run-only AppleScript to reach remote servers and download Geacon payloads. It is compatible with Apple silicon and Intel architectures.
“Unsigned Geacon payload retrieved from an IP address in China,” the researchers said. “Before starting the beaconing activity, users are provided with a two-page feed document embedded in the Geacon binary. The PDF opened displayed a resume for someone named ‘Xu Yiqing.'”
The Geacon binary, compiled from the geacon_plus source code, packs a lot of functionality that allows it to download next-stage payloads and extract data, as well as facilitate network communications.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The second sample, according to the cybersecurity firm, is embedded inside a trojan app that masquerades as the SecureLink remote support app (SecureLink.app) and mainly targets Intel devices.
Barebone, unsigned apps ask the user for permission to access contacts, photos, reminders, and the device’s camera and microphone. The main components are a Geacon payload built from project geacon_pro connected to known command-and-control (C2) servers in Japan.
Developments come as the macOS ecosystem creature targeted by various threat actors, including state-sponsored groups, to spread backdoors and information thieves.
“The increase in Geacon samples over the last few months shows that security teams need to pay close attention to these tools and ensure that they have protection.”
