Open-source Cobalt Strike Port 'Geacon' Used in macOS Attacks

Cyber Security Threat Summary:
“Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks” (Bleeping Computer, 2023).

Cobalt Strike has been one of the most popular tools to compromise Windows systems for many years. As security practitioners make continuous efforts to defend against Cobalt Strike, many cybercriminals have turned to similar products like Brute Ratel and Sliver. Security researchers at SentinelOne monitoring Geacon activity in the wild have noticed an increased number of payloads on VirusTotal lately. Although some of them showed signs of being part of a red team operation, others had the traits of malicious attacks.

Security Officer Comments:
The open-source project Geacon appeared on GitHub, and looked to be a powerful alternative to Cobalt Strike, that could also work on macOS devices. In April of 2023, SentinelOne reported that two Chinese developers published two Geacon forks, Geacon Plus which is free and publicly available, and Geacon Pro, which is private and paid. Today, the Geacon fork has been added to the ‘404 Starlink project,’ a public GitHub repository dedicated to red-team pen-testing tools maintained by the Zhizhi Chuangyu Laboratory since 2020. This inclusion helped increase the popularity of the Geacon fork and seems to have drawn the attention of ill-intended users.

SentinelOne found two cases of malicious Geacon deployment on two VirusTotal submissions that occurred on April 5 and April 11. “The first one is an AppleScript applet file named "Xu Yiqing’s Resume_20230320[.]app," which is designed to confirm that it runs on a macOS system before fetching one unsigned ‘Geacon Plus’ payload from a command and control (C2) server with a Chinese IP address. The researchers note that the particular C2 address (47[.]92[.]123[[.]17) has been previously associated with Cobalt Strike attacks on Windows machines.”

Geacon is fairly sophisticated, supporting network communications, data encryption and decryption. Most notably is can be used to download additional payloads, and to exfiltrate data from a compromised system.

In the campaign seen by SentinelOne, various payloads masquerading as a SecureLink application use for remote support, actually carried a copy of Geacon Pro. In this case, the binary only targets Intel-based Mac systems, versions OS X 10.9 (Mavericks) and later.

“Upon launch, the app requests access to the computer’s camera, microphone, contacts, photos, reminders, and even administrator privileges, which are normally protected by Apple’s Transparency, Consent, and Control (TCC) privacy framework” (Bleeping Computer, 2023). The application requests may seem risky to users, but because the application being masqueraded as would likely require these permissions, users are more likely into agreeing to the applications requests.

Suggested Correction(s):
SentinelOne says there are plenty of legitimate red team operations using the open-source tool, but they believe more adversaries will begin making additional private forks of Geacon to use in targeted attacks. Supporting this conclusion is the increased number of Geacon samples seen over the past few months, to which security teams should react with implementing adequate defenses.

SentinelOne has provided a list of indicators of compromise (IoCs) that companies can use to create proper protections against the Geacon threat.

Link(s):
https://www.bleepingcomputer.com/
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/