Home Security Hackers Utilizing Golang Variant of Cobalt Strike to Goal Apple macOS Methods

Hackers Utilizing Golang Variant of Cobalt Strike to Goal Apple macOS Methods

by crpt os


May 16, 2023Ravie LakshmananEndpoint Security / Cyber Threat

A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems.

The findings come from SentinelOne, which observed an uptick in the number of Geacon payloads appearing on VirusTotal in recent months.

“While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks,” security researchers Phil Stokes and Dinesh Devadoss said in a report.

Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad post-exploitation capabilities, illegally cracked versions of the software have been abused by threat actors over the years.

While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity.

Cybersecurity

In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called “pymafka” that was designed to drop a Cobalt Strike Beacon onto compromised Windows, macOS, and Linux hosts.

That may, however, change with the emergence of Geacon artifacts in the wild. Geacon is a Go variant of Cobalt Strike that has been available on GitHub since February 2020.

Further analysis of two new VirusTotal samples that were uploaded in April 2023 has traced their origins to two Geacon variants (geacon_plus and geacon_pro) that were developed in late October by two anonymous Chinese developers z3ratu1 and H4de5.

The geacon_pro project is no longer accessible on GitHub, but an Internet Archive snapshot captured on March 6, 2023, reveals its ability to bypass antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

Cobalt Strike

H4de5, the developer behind geacon_pro, claims the tool is mainly designed to support CobaltStrike versions 4.1 and later, while geacon_plus supports CobaltStrike version 4.0. The current version of the software is 4.8.

Xu Yiqing’s Resume_20230320.app, one of the artifacts discovered by SentinelOne, employs a run-only AppleScript to reach out to a remote server and download a Geacon payload. It’s compatible with both Apple silicon and Intel architectures.

“The unsigned Geacon payload is retrieved from an IP address in China,” the researchers said. “Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named ‘Xu Yiqing.'”

The Geacon binary, compiled from the geacon_plus source code, packs a multitude of functions that allows it to download next-stage payloads and exfiltrate data, and facilitate network communications.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The second sample, per the cybersecurity firm, is embedded within a trojanized app that masquerades as the SecureLink remote support app (SecureLink.app) and mainly targets Intel devices.

The barebones, unsigned application requests for users’ permission to access contacts, photos, reminders, as well as the device’s camera and microphone. Its main component is a Geacon payload built from the geacon_pro project that connects to a known command-and-control (C2) server in Japan.

The development comes as the macOS ecosystem is being targeted by a wide variety of threat actors, including state-sponsored groups, to deploy backdoors and information stealers.

“The uptick in Geacon samples over the last few months suggests that security teams should be paying attention to this tool and ensuring that they have protections in place.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex