Smiley

Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.

Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

In the case of Cobalt Strike, threat actors have been abusing it to compromise Windows systems for years, with the infosec industry making a continuous effort to fight it.

Security researchers at SentinelOne monitoring Geacon activity in the wild have noticed an increased number of payloads on VirusTotal lately. Although some of them showed signs of being part of a red team operation, others had the traits of malicious attacks.

Fork development and availability

When Geacon first appeared on GitHub as a promising port for Cobalt Strike that could work on macOS, hackers appeared to pay little attention to it.

However, SentinelOne reports that this changed in April, after anonymous Chinese developers published on GitHub two Geacon forks: Geacon Plus - free and publicly available, and the private, paid version, Geacon Pro.

Historical data from Virus Total indicates that Mach-O payloads for the free variant of the fork have been under development since November 2022.

Today, the Geacon fork has been added to the ‘404 Starlink project,’ a public GitHub repository dedicated to red-team pen-testing tools maintained by the Zhizhi Chuangyu Laboratory since 2020.

This inclusion helped increase the popularity of the Geacon fork and seems to have drawn the attention of ill-intended users.

Deployment in the wild

SentinelOne found two cases of malicious Geacon deployment on two VirusTotal submissions that occurred on April 5 and April 11.

The first one is an AppleScript applet file named "Xu Yiqing’s Resume_20230320.app," which is designed to confirm that it runs on a macOS system before fetching one unsigned ‘Geacon Plus’ payload from a command and control (C2) server with a Chinese IP address.

The researchers note that the particular C2 address (47.92.123.17) has been previously associated with Cobalt Strike attacks on Windows machines.

Before initiating its "beaconing activity," the payload displays a decoy PDF file to the victim - a resume for an individual named Xy Yiqing.

Decoy PDF displayed to the victim
Decoy PDF displayed to the victim (SentinelOne)

The Geacon payload supports network communications, data encryption and decryption, it can download additional payloads, and exfiltrate data from the compromised system.

Main functions of the Geacon payload
Main functions of the Geacon payload (SentinelOne)

The second payload is SecureLink.app and SecureLink_Client, a trojanized version of the SecureLink application used for secure remote support, that carries a copy of ‘Geacon Pro.’

In this case, the binary only targets Intel-based Mac systems, versions OS X 10.9 (Mavericks) and later.

File details
File details (SentinelOne)

Upon launch, the app requests access to the computer’s camera, microphone, contacts, photos, reminders, and even administrator privileges, which are normally protected by Apple’s Transparency, Consent, and Control (TCC) privacy framework.

Although these are extremely risky permissions, the type of the masqueraded application is such that the user’s suspicion can be assuaged, thus tricking them into granting the app’s request.

Access permission details
Access permission details (SentinelOne)

In this case, the C2 server IP address (13.230.229.15) that Geacon communicates with is based in Japan and VirusTotal has connected it to past Cobalt Strike operations.

While SentinelOne agrees that some of the observed Geacon activity is likely linked to legitimate red team operations, there is a good chance that real adversaries "will make use of the public and possibly even the private forks of Geacon."

Supporting this conclusion is the increased number of Geacon samples seen over the past few months, to which security teams should react with implementing adequate defenses.

SentinelOne has provided a list of indicators of compromise (IoCs) that companies can use to create proper protections against the Geacon threat.

Related Articles:

Europol takes down 593 Cobalt Strike servers used by cybercriminals

New York Times warns freelancers of GitHub repo data breach

Researcher hijacks popular Packagist PHP packages to get a job

JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens

Gitloker attacks abuse GitHub notifications to push malicious OAuth apps