Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.
Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.
In the case of Cobalt Strike, threat actors have been abusing it to compromise Windows systems for years, with the infosec industry making a continuous effort to fight it.
Security researchers at SentinelOne monitoring Geacon activity in the wild have noticed an increased number of payloads on VirusTotal lately. Although some of them showed signs of being part of a red team operation, others had the traits of malicious attacks.
Fork development and availability
When Geacon first appeared on GitHub as a promising port for Cobalt Strike that could work on macOS, hackers appeared to pay little attention to it.
However, SentinelOne reports that this changed in April, after anonymous Chinese developers published on GitHub two Geacon forks: Geacon Plus - free and publicly available, and the private, paid version, Geacon Pro.
Historical data from Virus Total indicates that Mach-O payloads for the free variant of the fork have been under development since November 2022.
Today, the Geacon fork has been added to the ‘404 Starlink project,’ a public GitHub repository dedicated to red-team pen-testing tools maintained by the Zhizhi Chuangyu Laboratory since 2020.
This inclusion helped increase the popularity of the Geacon fork and seems to have drawn the attention of ill-intended users.
Deployment in the wild
SentinelOne found two cases of malicious Geacon deployment on two VirusTotal submissions that occurred on April 5 and April 11.
The first one is an AppleScript applet file named "Xu Yiqing’s Resume_20230320.app," which is designed to confirm that it runs on a macOS system before fetching one unsigned ‘Geacon Plus’ payload from a command and control (C2) server with a Chinese IP address.
The researchers note that the particular C2 address (47.92.123.17) has been previously associated with Cobalt Strike attacks on Windows machines.
Before initiating its "beaconing activity," the payload displays a decoy PDF file to the victim - a resume for an individual named Xy Yiqing.
The Geacon payload supports network communications, data encryption and decryption, it can download additional payloads, and exfiltrate data from the compromised system.
The second payload is SecureLink.app and SecureLink_Client, a trojanized version of the SecureLink application used for secure remote support, that carries a copy of ‘Geacon Pro.’
In this case, the binary only targets Intel-based Mac systems, versions OS X 10.9 (Mavericks) and later.
Upon launch, the app requests access to the computer’s camera, microphone, contacts, photos, reminders, and even administrator privileges, which are normally protected by Apple’s Transparency, Consent, and Control (TCC) privacy framework.
Although these are extremely risky permissions, the type of the masqueraded application is such that the user’s suspicion can be assuaged, thus tricking them into granting the app’s request.
In this case, the C2 server IP address (13.230.229.15) that Geacon communicates with is based in Japan and VirusTotal has connected it to past Cobalt Strike operations.
While SentinelOne agrees that some of the observed Geacon activity is likely linked to legitimate red team operations, there is a good chance that real adversaries "will make use of the public and possibly even the private forks of Geacon."
Supporting this conclusion is the increased number of Geacon samples seen over the past few months, to which security teams should react with implementing adequate defenses.
SentinelOne has provided a list of indicators of compromise (IoCs) that companies can use to create proper protections against the Geacon threat.
Comments
LIstrong - 1 year ago
Encryption is considered a weapon by our Gov and CS isn’t. How does that make sense? Locksmiths are licensed by most states, yet pen-testers aren’t. Shouldn’t CISA own licensing so they can control and approve who red team tools are being sold to? Shouldn’t this be something they closely surveil?
It is insane that this is happening out in the open and no one is doing anything. If Microsoft’s AI works so great, why aren’t they catching and blocking this? This should never be in GitHub.
Perhaps CISA also needs to have a bug bounty clearinghouse program and ban private companies from having bug bounty programs. This will solve the cyber staff shortage too. Because if white hats cannot be self employed they’ll get real jobs.
There’s new SEC cyber audit and disclosure laws beginning Q3 where risks, GRC staff/vendor qualifications and unauthorized access will be publicly disclosed. So we need a solution NOW. Because this new law will just create more vulnerabilities if even more pen tools go into the wrong hands. So many malicious vendors/persons out there presently with keys to the kingdom. This new SEC law can help stop ransomware, only if red team tools are not part of the equation.
Focusing on phishing tests and pen testing is ludicrous. Neither is the solution. They are the problem. Address root cause instead. Phishing needs to be solved by least privilege access to external email. Less than 10% of employees in most companies need to communicate externally. Revoke external email access, problem solved. Why would anyone think it’s acceptable to leave security up to a users best judgment? If you want to get attacked, that would be the way to go.
Cannot wait to see all of the cyber vulnerability metrics compiled next year. In its aggregate, it’s going to make everyone’s head explode.
alex2012 - 1 year ago
Regulating red team tools would benefit no one. Do you think any other country would care about CISA? And banning private companies from having bug bounty programs? What are you even on about? How could you even begin to think this would benefit anyone but a hacker?