Cobalt Strike Tool ‘Gacon’ Targets macOS in Latest Attack

Geacon Malware Emerges as a New Threat against macOS

Introduction

Geacon, a Go-language implementation of the well-known Cobalt Strike red-teaming and attack-simulation tool, has emerged as a new threat against macOS systems. Although Geacon first surfaced on GitHub four years ago, it had mostly remained under the radar until recently. Security researchers at SentinelOne warn that several Geacon payloads appearing on VirusTotal in recent months indicate a sudden increased interest on the part of attackers in targeting macOS devices using this tool.

The Threat Geacon Poses to macOS Systems

SentinelOne’s analysis of Geacon’s samples shows that some of them originate from legitimate enterprise red-team exercises, while others are artifacts of malicious activities. For example, an AppleScript applet named “Xu Yiqing’s Resume_20230320.app” containing an unsigned Geacon payload download from a malicious server targeted macOS systems running on either Apple or Intel silicon. The application is designed to determine the architecture of a particular macOS system to download a specific Geacon payload for that device, and once the binary is compiled, it embeds a PDF displaying a resume before beaconing out to its command and control (C2) server. The compiled Geacon binary includes various functions for network communications, encryption, decryption, downloading further payloads, and exfiltrating data.

In another instance, Geacon payload was embedded in a fake version of a SecureLink enterprise remote-support application that required the user to grant access to the device camera, microphone, administrator privileges, and other typically protected settings under macOS‘s Transparency, Consent, and Control framework. Unlike the first sample, this Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.

The Wider Context of Geacon’s Emergence

Geacon is not the first Trojan masquerading as SecureLink with an embedded open-source attack framework that SentinelOne discovered. In September 2020, the security vendor reported the discovery of another open-source attack framework for macOS called Sliver embedded with a fake SecureLink. The increasing use of Cobalt Strike on macOS reflects attackers’ growing interest in macOS systems that security researchers have observed over the past year. Earlier this year, researchers at Uptycs reported on a new Mac malware sample called “MacStealer” that stole documents, iCloud keychain data, browser cookies, and other data from macOS users; more recently, Lockbit became the first major ransomware actor to develop a Mac version of its malware. North Korea’s state-backed Lazarus Group has also started to target Apple Macs.

Conclusion: How Organizations Can Protect Their macOS Systems

As Geacon and other macOS-targeting malware proliferate, organizations must take steps to protect their devices. SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads. Patching vulnerabilities as soon as they are disclosed, using antimalware solutions, and deploying endpoint detection and response (EDR) capabilities can all help to protect macOS and other systems from emerging cyber threats.