Related Families: Cobalt Strike
Executive Summary
Geacon is a Cobalt Strike adaptation developed to target MacOS. Geacon versions are available to target both Apple silicon and Intel architectures.
Key Takeaways
- Geacon is a Cobalt Strike adaptation developed to target MacOS.
- It is written in Go and is available on Github.
- Both legitimate pentesters and malicious threat actors may leverage Geacon.
- Geacon versions are available to target both Apple silicon and Intel architectures.
What is Geacon?
SentinelOne recently reported on Geacon, a Cobalt Strike adaptation developed to target MacOS. Geacon is written in Go. It first appeared on GitHub four years ago and has been observed in the wild recently. A developer named Z3ratu1 developed two forks of Geacon. A Mach-O Geacon payload was observed in the wild in November 2022.
Geacon provides pentesters or threat actors with multiple functions, including network communications encryption and decryption, exfiltrating data, and downloading additional payloads. Although some Geacon users may conduct redteaming activities, threat actors can abuse Geacon, just as they do Cobalt Strike.
Of the Geacon samples analyzed, one began the infection chain with an AppleScript applet named Xu Yiqing’s Resume_20230320.app, which calls out to a C2 to download a Geacon payload. The application is compiled to work on both Apple silicon and Intel architectures. When the Geacon payload is downloaded, the victim is shown a two-page decoy resume in PDF format. Geacon later begins its beaconing activity.
A second Geacon sample consisted of a Geacon payload embedded in a trojan masquerading as SecureLink, an enterprise-secure remote support app. This sample contains an unsigned application built from an Automator workflow and only targets Intel devices. It asks the victim to grant access to the machine’s camera, microphone, contact data, photos, reminders, and administrator privileges.
The use of Geacon to target MacOS follows the trend of an increase in MacOS-focused malware in 2023. PolySwarm continues to monitor for adaptations of existing malware as well as novel malware developed to target MacOS.
IOCs
PolySwarm has multiple samples of Geacon.
6181875aaec9c1e3c39b2466e67b8c2f43f4246c89fbfa29093ba8d120d563c6
728e0c74636e05f1c2414610d6dca1dd0f80ad387f9473d06b290c05f50fa49c
Db18c1c1e8b56eca5afc1a518d25ae6872024e2e806013f4f9fc08ec89df8003
a58afa6fb86b1851b9f4028992e7632e22a7d2e9f2541836ccce351c631c965c
You can use the following CLI command to search for all Geacon samples in our portal:
$ polyswarm link list -f Geacon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports