Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    The Apple MacOS Systems Are Being Attacked by Hackers Using Golang Variant of Cobalt Strike

    Uploaded by

    fauzeeyah adepoju
    SentinelOne researchers observed an increase in Geacon payloads, a Golang variant of Cobalt Strike used to target Apple macOS systems, being uploaded to VirusTotal in recent months. Geacon samples correspond to two variants called geacon_plus and geacon_pro that were developed by anonymous Chinese developers in October 2022. One sample disguises itself as a resume document to download and execute a Geacon payload, while another masquerades as a remote support app to request sensitive permissions and connect to a command-and-control server in Japan. The emergence of Geacon threatens the growing number of macOS systems being targeted by threat actors.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    The Apple MacOS Systems Are Being Attacked by Hackers Using Golang Variant of Cobalt Strike

    Uploaded by

    fauzeeyah adepoju
    16 views2 pages
    SentinelOne researchers observed an increase in Geacon payloads, a Golang variant of Cobalt Strike used to target Apple macOS systems, being uploaded to VirusTotal in recent months. Geacon samples correspond to two variants called geacon_plus and geacon_pro that were developed by anonymous Chinese developers in October 2022. One sample disguises itself as a resume document to download and execute a Geacon payload, while another masquerades as a remote support app to request sensitive permissions and connect to a command-and-control server in Japan. The emergence of Geacon threatens the growing number of macOS systems being targeted by threat actors.

    Original Title

    The Apple MacOS Systems Are Being Attacked By Hackers Using Golang Variant Of Cobalt Strike

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    SentinelOne researchers observed an increase in Geacon payloads, a Golang variant of Cobalt Strike used to target Apple macOS systems, being uploaded to VirusTotal in recent months. Geacon samples correspond to two variants called geacon_plus and geacon_pro that were developed by anonymous Chinese developers in October 2022. One sample disguises itself as a resume document to download and execute a Geacon payload, while another masquerades as a remote support app to request sensitive permissions and connect to a command-and-control server in Japan. The emergence of Geacon threatens the growing number of macOS systems being targeted by threat actors.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    16 views2 pages

    The Apple MacOS Systems Are Being Attacked by Hackers Using Golang Variant of Cobalt Strike

    Uploaded by

    fauzeeyah adepoju
    SentinelOne researchers observed an increase in Geacon payloads, a Golang variant of Cobalt Strike used to target Apple macOS systems, being uploaded to VirusTotal in recent months. Geacon samples correspond to two variants called geacon_plus and geacon_pro that were developed by anonymous Chinese developers in October 2022. One sample disguises itself as a resume document to download and execute a Geacon payload, while another masquerades as a remote support app to request sensitive permissions and connect to a command-and-control server in Japan. The emergence of Geacon threatens the growing number of macOS systems being targeted by threat actors.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 2

    The Apple MacOS Systems Are Being Attacked By Hackers Using Golang Variant Of

    Cobalt Strike

    The emergence of Geacon, a Golang implementation of Cobalt Strike, is expected to attract the attention
    of threat actors targeting Apple macOS systems, according to SentinelOne's findings. The security
    researchers at SentinelOne have observed an increase in the number of Geacon payloads appearing on
    VirusTotal in recent months, and while some may be part of legitimate red-team operations, others exhibit
    characteristics of genuine malicious attacks.

    Cobalt Strike, developed by Fortra, is a well-known tool used for red teaming and adversary simulation.
    Over the years, cracked versions of the software have been illicitly exploited by threat actors due to its
    extensive capabilities. However, it is worth noting that while post-exploitation activities associated with
    Cobalt Strike have primarily targeted Windows systems, attacks against macOS are relatively rare.
    In May 2022, Sonatype, a software supply chain firm, disclosed information about a malicious Python
    package called "pymafka." This package was specifically designed to deploy a Cobalt Strike Beacon on
    compromised Windows, macOS, and Linux systems.

    However, the introduction of Geacon artifacts in the wild may change the landscape. Geacon is a Go
    programming language variant of Cobalt Strike, and it has been available on GitHub since February 2020.
    Further analysis of two new samples uploaded to VirusTotal in April 2023 has revealed their association
    with Geacon. These samples correspond to two Geacon variants named geacon_plus and geacon_pro,
    which were developed in late October by two anonymous Chinese developers known as z3ratu1 and
    H4de5.
    While the geacon_pro project is no longer accessible on GitHub, an Internet Archive snapshot from
    March 6, 2023, reveals its capability to evade detection by antivirus engines such as Microsoft Defender,
    Kaspersky, and Qihoo 360 360 Core Crystal.

    H4de5, the developer of geacon_pro, has stated that the tool is primarily designed to support CobaltStrike
    versions 4.1 and later, while geacon_plus is compatible with CobaltStrike version 4.0. The current version
    of CobaltStrike is 4.8.

    One of the artifacts discovered by SentinelOne is a file named Xu Yiqing's Resume_20230320.app. It


    utilizes a run-only AppleScript to establish a connection with a remote server and download a Geacon
    payload. This payload is compatible with both Apple silicon and Intel architectures.
    The researchers noted that the unsigned Geacon payload is retrieved from an IP address in China. Before
    initiating its beaconing activity, the user is presented with a two-page decoy document embedded in the
    Geacon binary. When the payload is executed, a PDF document displaying a resume for an individual
    named "Xu Yiqing" is opened.
    The Geacon binary, compiled from the geacon_plus source code, contains various functions that enable it
    to download subsequent payloads, exfiltrate data, and facilitate network communications.
    According to the cybersecurity firm, the second sample is found within a trojanized application that
    masquerades as the SecureLink remote support app, specifically targeting Intel devices. This malicious
    app, named SecureLink.app, is designed to deceive users.
    When users grant permission to the application, it requests access to various sensitive information such as
    contacts, photos, and reminders, as well as the device's camera and microphone. The main component of
    the application is a Geacon payload derived from the geacon_pro project, which establishes a connection
    to a known command-and-control (C2) server located in Japan.

    These findings are significant as the macOS ecosystem is currently being targeted by a range of threat
    actors, including state-sponsored groups, who aim to deploy backdoors and steal sensitive information.
    The increasing presence of Geacon samples in recent months highlights the importance for security teams
    to be vigilant and ensure they have proper protections in place against this tool, as noted by the
    researchers.

    You might also like