Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Threat actors use Go-language edition of Cobalt Strike to target macOS 

Target Industry 

Indiscriminate, opportunistic targeting. 

Overview  

Threat actors are reportedly engaged in the deployment of a Go-language rendition of Cobalt Strike, called Geacon. Although this implementation has existed for approximately four years, it has only just emerged as a tool of choice for threat actors. This particular version has been used to target macOS systems specifically for the purposes of post-exploitation operations. Geacon was created by anonymous Chinese developers, with two components of the project gaining popularity in recent months. The malware payload is downloaded from a command-and-control (C2) server in either China or Japan and is designed to bypass antivirus engines. 

SentinelOne conducted an analysis on Geacon payload samples, stating that some are likely to be related to valid red-team exercise engagements, whereas others are likely deployed for malicious purposes.  

Impact  

Successful compromise by Cobalt Strike versions, such as Geacon, will result in the establishment of C2 channels between the target and the threat actor systems. The communication channel allows the threat actors to exfiltrate data from the target, compromise additional systems via lateral movement as well as the delivery of additional malware components such as ransomware.   

Vulnerability Detection 

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against post-exploitation malware threats like Geacon. The solution functions with the intent to alert system users of potential breaches and prevent further progress prior to the associated malware applying significant damage. 

Affected Products 

macOS 

Containment, Mitigations & Remediations 

It is strongly recommended that the following mitigation steps are implemented as a protective measure to counteract cyber-attacks associated with the abuse of C2 frameworks such as Geacon: 

  • Maintain up-to-date antivirus signatures and engines
  • Ensure that operating system patches are applied as soon as possible
  • Disable File and Printer sharing services
  • Restrict users’ ability (permissions) to install and run unwanted software applications
  • Do not add users to the local administrator’s group, unless this is necessary
  • Enforce a strong password policy and implement regular password changes
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests
  • Disable unnecessary services on workstations and servers
  • Scan for and remove suspicious e-mail attachments
  • Restrict user access to websites with suspicious content
  • Exercise caution when using removable media, such as USB drives and external drives
  • Scan all software downloaded from the internet prior to execution
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs)

Indicators of Compromise 

Geacon associated file hashes (SHA1): 

– 6831d9d76ca6d94c6f1d426c1f4de66230f46c4a 

– 752ac32f305822b7e8e67b74563b3f3b09936f89 

– bef71ef5a454ce8b4f0cf9edab45293040fc3377 

– c5c1598882b661ab3c2c8dc5d254fa869dadfd2a 

– e7ff9e82e207a95d16916f99902008c7e13c049d 

– fa9b04bdc97ffe55ae84e5c47e525c295fca1241 

Geacon associated IP addresses: 

– 47.92.123[].]17 – C2 

– 13.230.229[].]15 – C2 

Geacon associated file paths: 

– ~/runoob.log 

Threat Landscape 

The emergence of Geacon correlates to a wider trend within the threat landscape of threat actors pivoting to macOS systems as a target of choice. This same strategy was recently reported on with LockBit ransomware operators targeting macOS with custom file encryptors, as well as with the creation of the MacStealer malware that was deployed with the objective of data theft from Apple product users. 

The most prominent current events involving Geacon include an increase in the number of payloads appearing on VirusTotal and the discovery of Geacon payloads being distributed as fraudulent SecureLink apps.  

Threat Group 

At the time of writing, no official attribution has been made to a specific threat actor implementing Geacon. However, it should be noted that Cobalt Strike has been attributed as being a post-exploitation tool employed by several APT groups, such as Sangria Tempest (also known as FIN7), Forrest Blizzard (also known as APT28) and Gingham Typhoon (also known as APT40). 

Mitre Methodologies 

Execution: 

T1059 – Command and Scripting Interpreter  

T1059.001 – Command and Scripting Interpreter: PowerShell  

Persistence: 

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  

Privilege Escalation: 

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  

Defence Evasion: 

T1112 – Modify Registry  

Credential Access: 

T1539 – Steal Web Session Cookie  

Discovery: 

T1012 – Query Registry  

T1082 – System Information Discovery  

Command and Control: 

T1071 – Application Layer Protocol  

T1071.001 – Application Layer Protocol: Web Protocols  

Further Information 

SentinelOne Analysis 

Intelligence Terminology Yardstick