Cobalt Strike is a powerful and often misused tool that's mainly used for simulating attacks on Windows systems. However, cybercriminals are increasingly turning to an open-source version of this tool called Geacon, which can target macOS devices. Geacon has been available on GitHub since February 2020 and is gaining popularity in the cybercrime world.
Increasing in Geacon attacks
SentinelOne has observed a recent surge in the number of Geacon payloads submitted to VirusTotal, indicating a rise in its usage. While some of the samples are linked to red-team operations, others appear to be part of malicious attacks in the wild.
- On April 5, a malicious AppleScript applet, named Xu Yiqing’s Resume_20230320.app, was uploaded to VirusTotal. This script, when executed, reaches out to a remote server and downloads a Geacon payload.
- The application is designed to determine the current architecture of the target system, and download the corresponding Geacon payload for either Apple silicon or Intel architecture.
Two new variants
Researchers have identified two new samples of Geacon, called geacon_plus and geacon_pro, that were developed in October 2022 by unknown Chinese developers, who go by the moniker z3ratu1 and H4de5.
- The geacon_plus variant supports CobaltStrike version 4.0, while geacon_pro is designed to support CobaltStrike versions 4.1 and later.
- Although geacon_pro has been removed from GitHub, an archived snapshot from March 6 shows that this variant has the ability to evade popular anti-virus products like Kaspersky, Qihoo 360, Microsoft Defender, and 360 Core Crystal.
Attack details
One of the Geacon samples was found to be posing as the remote support app SecureLink and primarily targeting Intel devices.
- The unsigned application requests access to contact, reminder, camera, microphone, and photos stored on the device.
- The main component of the Geacon payload connects with the C2 server located in Japan to receive further instructions.
Ending notes
The increasing number of Geacon samples found on VirusTotal suggests that cybercriminals are treating it similarly to Cobalt Strike. As a result, it's crucial for security teams to have a defense strategy in place that can effectively counter all variations of Geacon and Cobalt Strike. It's recommended to use the latest IOCs to gain a better understanding of the attack campaigns and implement the necessary safety measures to stay protected.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/48a2_Blog_APT10_Ver02.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f4d7_shutterstock_1242117157_2.jpg)
