The C2 for this sample is a Japanese IP address that researchers linked to a Cobalt Strike server on VirusTotal. The app requires the user to grant access to the device’s camera, microphone and administrator privileges, and data like contacts, photos and reminders. According to researchers, the ist for the app shows that it targets macOS OS X Mavericks (version 10.9) and onwards. The second Geacon payload was discovered embedded in a trojan that was disguised as the SecureLink enterprise remote support application. The Geacon binary has a number of capabilities, including encryption and decryption, network communications, and the abilities to download further payloads and exfiltrate data.
“Analysis of the run-only script shows that it contains logic to determine the current architecture and download a Geacon payload specifically built for the target device.”
“The application is ad-hoc codesigned and compiled for both Apple silicon and Intel architectures,” said researchers. According to researchers, this Chinese IP address (47.92.123.17) is associated with other malicious samples targeting Windows machines. One was an AppleScript app (Xu Yiqing’s Resume_20230320.app) that shows the user a decoy two-page PDF document displaying a resume for an individual named “Xu Yiqing ” in the background, the app is designed to call out a remote command-and-control (C2) and download an unsigned Geacon payload from an IP address in China. That same month, researchers found two Geacon payloads on VirusTotal.
“While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks.”Īfter an anonymous developer in October created two Geacon forks, public and private Geacon projects were added to the 404 Starlink Project, a public repository of open source red-team and penetration tools that is maintained by the Zhizhi Chuangyu Laboratory in April. “We have observed a number of Geacon payloads appearing on VirusTotal in recent months,” said Phil Stokes and Dinesh Devadoss with SentinelLabs on Monday. The Geacon project, meanwhile, first appeared on GitHub four years ago as a Cobalt Strike alternative for macOS devices. After spotting an increased number of VirusTotal payloads for the Go-based implementation of the Cobalt Strike beacon, called Geacon, researchers warn that it is likely that threat actors will abuse the tool in order to target macOS devices.Ĭobalt Strike is a legitimate adversary simulation tool used by red teams however, it has also been abused by threat actors to target the Windows platform.
0 kommentar(er)
