Heads up: threat actors are now deploying a Go-language implementation of Cobalt Strike called Geacon that first surfaced on GitHub four years ago and had remained largely under the radar.
They are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms the past few years.
Security researchers at SentinelOne reported the activity this week after spotting several Geacon payloads appearing on VirusTotal in recent months. SentinelOne’s analysis of the samples showed some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.
One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled “Xu Yiqing’s Resume_20230320.app” that downloads an unsigned Geacon payload from a malicious server with a China-based IP address.
SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.
“The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads, and exfiltrating data,” SentinelOne said.
In another instance, SentinelOne discovered a Geacon payload embedded in a fake