HQ/EMEAFind out how we can help your business
A recent study showed that a surge of cybercriminal operations leverages an open-source tool called Geacon. The malicious kit could target macOS devices. Based on reports, the Cobalt Strike variant coded in the Go language has been available on GitHub since more than a couple of years ago.
Researchers claimed a spike in threat groups that uses the Geacon payloads. Most of the recent samples came from a malicious cybersecurity campaign, while some alleged it came from red-team operations.
During the first days of last month, an unknown entity uploaded a malicious AppleScript applet called Xu Yiging’s Resume_20230320[.]app on VirusTotal. Analysts explained that the script could reach a remote server and download a Geacon payload after execution.
The app developers designed the app to identify the current architecture of the target system and download the matching Geacon payload for the Intel architecture or Apple silicon.
The Geacon payloads showed two new samples.
The current investigation uncovered two new Geacon samples, geacon_pro and geacon_plus. A few unknown Chinese developers generated the two samples in October last year.
The geacon_plus variant could run on CobaltStrike version 4[.]0. On the other hand, the geacon_pro could support versions 4[.]1 and newer.
Currently, GitHub has removed the availability of geacon_pro. However, a file snapshot from March 6 revealed that the variant could bypass several AV solutions, such as Qihoo 360, 360 Core Crystal, MS Defender, and Kaspersky.
Researchers found one of the samples of Geacon that impersonates a remote support application called SecureLink. The sample has primarily targeted Intel devices. The unsigned app prompts a targeted user to access the affected device’s contact, camera, photos, reminder, and camera.
The primary component of the Geacon payload has connections with the command-and-control server in Japan to recover further instructions.
The spike of Geacon samples on VirusTotal implies that threat actors use the new variant like Cobalt Strike. Hence, security providers should implement a defence strategy that could effectively counteract all variants of Cobalt Strike and Geacon.
Experts believe that security providers could utilise the latest IOCs to analyse the attack campaigns and formulate a counterattack against such threats.
