The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Geacon - Cobalt Strike for MacOS

May 26, 2023 2:01:00 PM / by The Hivemind

GEACONRelated Families: Cobalt Strike

Executive Summary

Geacon is a Cobalt Strike adaptation developed to target MacOS. Geacon versions are available to target both Apple silicon and Intel architectures.

Key Takeaways

  • Geacon is a Cobalt Strike adaptation developed to target MacOS.
  • It is written in Go and is available on Github. 
  • Both legitimate pentesters and malicious threat actors may leverage Geacon.
  • Geacon versions are available to target both Apple silicon and Intel architectures.

What is Geacon?

SentinelOne recently reported on Geacon, a Cobalt Strike adaptation developed to target MacOS.  Geacon is written in Go. It first appeared on GitHub four years ago and has been observed in the wild recently. A developer named Z3ratu1 developed two forks of Geacon. A Mach-O Geacon payload was observed in the wild in November 2022.

Geacon provides pentesters or threat actors with multiple functions, including network communications encryption and decryption, exfiltrating data, and downloading additional payloads. Although some Geacon users may conduct redteaming activities, threat actors can abuse Geacon, just as they do Cobalt Strike.

Of the Geacon samples analyzed, one began the infection chain with an AppleScript applet named Xu Yiqing’s Resume_20230320.app, which calls out to a C2 to download a Geacon payload. The application is compiled to work on both Apple silicon and Intel architectures. When the Geacon payload is downloaded, the victim is shown a two-page decoy resume in PDF format. Geacon later begins its beaconing activity.

A second Geacon sample consisted of a Geacon payload embedded in a trojan masquerading as SecureLink, an enterprise-secure remote support app. This sample contains an unsigned application built from an Automator workflow and only targets Intel devices. It asks the victim to grant access to the machine’s camera, microphone, contact data, photos, reminders, and administrator privileges.

The use of Geacon to target MacOS follows the trend of an increase in MacOS-focused malware in 2023. PolySwarm continues to monitor for adaptations of existing malware as well as novel malware developed to target MacOS.

IOCs

PolySwarm has multiple samples of Geacon.

 

6181875aaec9c1e3c39b2466e67b8c2f43f4246c89fbfa29093ba8d120d563c6

728e0c74636e05f1c2414610d6dca1dd0f80ad387f9473d06b290c05f50fa49c

Db18c1c1e8b56eca5afc1a518d25ae6872024e2e806013f4f9fc08ec89df8003

a58afa6fb86b1851b9f4028992e7632e22a7d2e9f2541836ccce351c631c965c

 

You can use the following CLI command to search for all Geacon samples in our portal:

$ polyswarm link list -f Geacon

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Cobalt Strike, MacOS, Pentesting, Geacon

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts