Security news that informs and inspires

MacOS Attackers Likely to Abuse Go-Based Cobalt Strike Variant

By

After spotting an increased number of VirusTotal payloads for the Go-based implementation of the Cobalt Strike beacon, called Geacon, researchers warn that it is likely that threat actors will abuse the tool in order to target macOS devices.

Cobalt Strike is a legitimate adversary simulation tool used by red teams; however, it has also been abused by threat actors to target the Windows platform. The Geacon project, meanwhile, first appeared on GitHub four years ago as a Cobalt Strike alternative for macOS devices.

“We have observed a number of Geacon payloads appearing on VirusTotal in recent months,” said Phil Stokes and Dinesh Devadoss with SentinelLabs on Monday. “While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks.”

After an anonymous developer in October created two Geacon forks, public and private Geacon projects were added to the 404 Starlink Project, a public repository of open source red-team and penetration tools that is maintained by the Zhizhi Chuangyu Laboratory in April. That same month, researchers found two Geacon payloads on VirusTotal.

One was an AppleScript app (Xu Yiqing’s Resume_20230320.app) that shows the user a decoy two-page PDF document displaying a resume for an individual named “Xu Yiqing;” in the background, the app is designed to call out a remote command-and-control (C2) and download an unsigned Geacon payload from an IP address in China. According to researchers, this Chinese IP address (47.92.123.17) is associated with other malicious samples targeting Windows machines.

“The application is ad-hoc codesigned and compiled for both Apple silicon and Intel architectures,” said researchers. “Analysis of the run-only script shows that it contains logic to determine the current architecture and download a Geacon payload specifically built for the target device.”

The Geacon binary has a number of capabilities, including encryption and decryption, network communications, and the abilities to download further payloads and exfiltrate data.

The second Geacon payload was discovered embedded in a trojan that was disguised as the SecureLink enterprise remote support application. According to researchers, the Info.plist for the app shows that it targets macOS OS X Mavericks (version 10.9) and onwards. The app requires the user to grant access to the device’s camera, microphone and administrator privileges, and data like contacts, photos and reminders. The C2 for this sample is a Japanese IP address that researchers linked to a Cobalt Strike server on VirusTotal.

“We have no indication that this sample is operationally connected to the Xu Yiqing resume.app, but this is not the first time we have seen a trojan masquerading as SecureLink with an embedded open-source attack framework: a Sliver implant was being distributed as a fake SecureLink app in September of 2022, a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors,” said researchers.

Geacon joins a number of tools that are both utilized for legitimate purposes by red teams and abused for malicious uses by threat actors. In 2021, researchers found the red-team tool Sliver being used in campaigns by the TA551 cybercrime group. The popularity of tools like Cobalt Strike shows the demand for these types of frameworks, which have capabilities and operationalized C2 infrastructure that reduce the legwork needed by adversaries to launch attacks.

SentinelLabs researchers said that the uptick in Geacon samples since April shows that security teams should be paying close attention to the tool and making sure that they have the correct security measures in place.

“Enterprise security teams can make good use of attack simulation tools like Cobalt Strike and its macOS Go adaptation, Geacon,” said researchers. “It is quite likely that some of the activity we are observing around this tool is legitimate red team use, but it is also likely that genuine threat actors will make use of the public and possibly even the private forks of Geacon now available to them.”