Recent months have seen an uptick in the number of Geacon payloads appearing on VirusTotal, a Golang implementation of Cobalt Strike specifically designed for targeting Apple macOS systems.
According to SentinelOne’s security researchers Phil Stokes and Dinesh Devadoss, some of these payloads may be part of red-team operations, while others exhibit characteristics of genuine malicious attacks. Fortra’s Cobalt Strike is a widely-used red teaming and adversary simulation tool, and its illegally-cracked versions have been abused by malicious actors in the past.
While post-exploitation activities involving Cobalt Strike have usually been focused on Windows systems, macOS have largely been spared from such activity. In May 2022, software supply chain firm Sonatype revealed the existence of a rogue Python package called “pymafka” that was capable of dropping a Cobalt Strike Beacon on Windows, macOS, and Linux hosts.
More about Geacon
Since February 2020, Geacon, a Go variant of Cobalt Strike, has been available on GitHub. Fast-forwarding to April 2023, two new VirusTotal samples were attributed to two Geacon variants (geacon_plus and geacon_pro) which were created by anonymous Chinese developers – Z3ratu1 and H4de5 – in late October. By March of 2023, the Geacon_Pro project was also on GitHub, and was capable of making its way past popular antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal. By April of 2020, the publicly available Geacon_Plus and the private Geacon_Pro projects, both developed by Z3ratu1, had gained close to 1,000 stars and were included in the 404 Starlink project – a public repository that contains open-source red-team and penetration tools administered by the Zhizhi Chuangyu Laboratory.
That same month, two distinct Geacon payloads were submitted to VirusTotal, prompting our attention, with one in particular displaying clear signs of a malicious campaign. The Geacon_Pro project is no longer accessible on GitHub, but an Internet Archive snapshot of it was taken on March 6, 2023.
In Conclusion
Security teams in the enterprise should take advantage of attack simulation tools such as Cobalt Strike and its macOS Go adaptation, Geacon, SentinelOne’s report pointed out. While it is probable that the usage of Geacon is for legitimate red team purposes, it is also possible that threat actors are making use of the public and private versions of Geacon. The increasing number of Geacon samples lately shows that security teams should be aware of this tool and make sure the necessary precautions are taken.