The Apple MacOS Systems Are Being Attacked By Hackers Using Golang Variant Of

Cobalt Strike

The emergence of Geacon, a Golang implementation of Cobalt Strike, is expected to attract the attention
of threat actors targeting Apple macOS systems, according to SentinelOne's findings. The security
researchers at SentinelOne have observed an increase in the number of Geacon payloads appearing on
VirusTotal in recent months, and while some may be part of legitimate red-team operations, others exhibit
characteristics of genuine malicious attacks.

Cobalt Strike, developed by Fortra, is a well-known tool used for red teaming and adversary simulation.
Over the years, cracked versions of the software have been illicitly exploited by threat actors due to its
extensive capabilities. However, it is worth noting that while post-exploitation activities associated with
Cobalt Strike have primarily targeted Windows systems, attacks against macOS are relatively rare.
In May 2022, Sonatype, a software supply chain firm, disclosed information about a malicious Python
package called "pymafka." This package was specifically designed to deploy a Cobalt Strike Beacon on
compromised Windows, macOS, and Linux systems.

However, the introduction of Geacon artifacts in the wild may change the landscape. Geacon is a Go
programming language variant of Cobalt Strike, and it has been available on GitHub since February 2020.
Further analysis of two new samples uploaded to VirusTotal in April 2023 has revealed their association
with Geacon. These samples correspond to two Geacon variants named geacon_plus and geacon_pro,
which were developed in late October by two anonymous Chinese developers known as z3ratu1 and
H4de5.
While the geacon_pro project is no longer accessible on GitHub, an Internet Archive snapshot from
March 6, 2023, reveals its capability to evade detection by antivirus engines such as Microsoft Defender,
Kaspersky, and Qihoo 360 360 Core Crystal.

H4de5, the developer of geacon_pro, has stated that the tool is primarily designed to support CobaltStrike
versions 4.1 and later, while geacon_plus is compatible with CobaltStrike version 4.0. The current version
of CobaltStrike is 4.8.

One of the artifacts discovered by SentinelOne is a file named Xu Yiqing's Resume_20230320.app. It

utilizes a run-only AppleScript to establish a connection with a remote server and download a Geacon
payload. This payload is compatible with both Apple silicon and Intel architectures.
The researchers noted that the unsigned Geacon payload is retrieved from an IP address in China. Before
initiating its beaconing activity, the user is presented with a two-page decoy document embedded in the
Geacon binary. When the payload is executed, a PDF document displaying a resume for an individual
named "Xu Yiqing" is opened.
The Geacon binary, compiled from the geacon_plus source code, contains various functions that enable it
to download subsequent payloads, exfiltrate data, and facilitate network communications.
According to the cybersecurity firm, the second sample is found within a trojanized application that
masquerades as the SecureLink remote support app, specifically targeting Intel devices. This malicious
app, named SecureLink.app, is designed to deceive users.
When users grant permission to the application, it requests access to various sensitive information such as
contacts, photos, and reminders, as well as the device's camera and microphone. The main component of
the application is a Geacon payload derived from the geacon_pro project, which establishes a connection
to a known command-and-control (C2) server located in Japan.

These findings are significant as the macOS ecosystem is currently being targeted by a range of threat
actors, including state-sponsored groups, who aim to deploy backdoors and steal sensitive information.
The increasing presence of Geacon samples in recent months highlights the importance for security teams
to be vigilant and ensure they have proper protections in place against this tool, as noted by the
researchers.