There's a new tool in town for those looking to target Apple macOS systems - Geacon, a Golang implementation of Cobalt Strike. That's according to findings from SentinelOne, who observed an uptick in the number of Geacon payloads appearing on VirusTotal in recent months. Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad post-exploitation capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called "pymafka" that was designed to drop a Cobalt Strike Beacon onto compromised Windows, macOS, and Linux hosts. That may, however, change with the emergence of Geacon artifacts in the wild. Geacon is a Go variant of Cobalt Strike that has been available on GitHub since February 2020. Further analysis of two new VirusTotal samples that were uploaded in April 2023 has traced their origins to two Geacon variants (geacon_plus and geacon_pro) that were developed in late October by two anonymous Chinese developers z3ratu1 and H4de5. So far, it seems that Geacon is being used mostly for malicious purposes, with Stokes and Devadoss noting that "while some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks." Given the powerful post-exploitation capabilities that Geacon offers, it's likely that we'll see more attacks using this tool in the wild. Organizations should be on the lookout for any suspicious activity on their macOS systems and take appropriate measures to protect themselves.
top of page
bottom of page