In the constantly shifting world of modern cybersecurity, threat actors consistently create new methods and tools to penetrate and corrupt networks. Geacon is one example of this tool; it is an infamous implementation of the Cobalt Strike Beacon in the Go programming language.
The purpose of this blog article is to give a complete knowledge of Geacon, its consequences for users of MacBooks, as well as concrete methods for protecting your MacBook against a complex attack.
The Go language is an open-source high-level programming language developed by Google. Google designed Golang in a manner similar to the C language, leading to its nickname as the “C for the 21st century.” If you’re familiar with C, you won’t have much trouble learning Go, as it utilizes a syntax similar to C’s. Along with this shared syntax, it provides virtually everything that C does. The execution time for programs is the same for both languages, and they perform comparably in terms of efficiency. Go also offers similar hardware accessibility features as C. You might wonder, if all this is the same, why do we need Golang? The answer lies in Go’s extensive libraries. The wealth of libraries and a neat package management system make this language more efficient for writing complex programs.
Cobalt Strike is a legitimate commercial software used for penetration testing and red teaming exercises. It’s designed to simulate advanced persistent threat (APT) attacks on an organization’s network to test its defenses.
One of the main components of Cobalt Strike is the “Beacon,” a payload that allows the tester (or in malicious use cases, the attacker) to maintain persistent access to the compromised systems. The Beacon is a lightweight payload designed for long-term operations and stealth. It communicates back to the Cobalt Strike server, allowing the operator to control the infected machine.
Key features of the Beacon include:
Command and Control: Beacon communicates with the Cobalt Strike server, receiving tasks and sending back results. It can communicate over various protocols, including HTTP, HTTPS, DNS, and more, and it’s designed to mimic legitimate traffic to evade detection.
Stealth and Persistence: Beacon is designed to be stealthy and to maintain access over long periods. It has a low network footprint, and it can sleep and wake up at scheduled intervals to further avoid detection.
Lateral Movement: A beacon can be used to move laterally across a network, infecting other machines and expanding the operator’s control.
Task Execution: Beacon can execute tasks on the compromised machine, such as gathering system information, capturing keystrokes, taking screenshots, and more.
Cobalt Strike’s Beacon payload is written in Java. The server-side software that interacts with the Beacon is also predominantly written in Java. However, Beacon can execute payloads and scripts in various languages on compromised hosts, such as PowerShell, JavaScript, and shellcode, depending on the situation and the needs of the operator. The versatility of Cobalt Strike’s Beacon payload is one of the reasons why it is a popular choice for both legitimate penetration testing and malicious cyber attacks.
Geacon is a malicious Cobalt Strike Beacon payload that was developed using the Go programming language. It provides threat actors remote access and control over the compromised system, enabling them to execute instructions, steal data, and engage in other malicious operations as like as Beacons.
Image Source: SentinelOne
In recent weeks, experts in the field of cybersecurity working for SentinelOne discovered two instances of the Geacon malware being utilized in targeted assaults on macOS systems. It was determined that these instances were Xu Yiqing’s Resume_20230320.app, SecureLink.app, and SecureLink_Client. Both apps were deftly camouflaged as legal software, making it exceedingly difficult to identify the existence of Geacon in the system.
An application known as Xu Yiqing’s Resume_20230320.app is a forgery that pretends to be the résumé of a nonexistent person. Geacon is stealthily deployed in the background when unwary users download and launch this program. This establishes a covert communication channel with the attacker’s command-and-control infrastructure. This grants the attacker total control over the MacBook, enabling them to engage in various harmful operations without fear of being discovered.
Following are some key points to keep in mind:
Phishing emails and websites infiltrated are common vectors for distributing the malicious program known as Xu Yiqing’s Resume_20230320.app.
The user can be fooled into believing that the resume file is genuine since it contains a well-prepared profile of the made-up person to get them to download and open the file.
Geacon is covertly installed on the user’s computer without their knowledge or agreement. It does this by disguising itself as part of the application being used.
Geacon will permanently connect with the attacker’s command-and-control infrastructure during installation. This connection will allow the attacker to continue to exercise control over the infected MacBook.
After gaining access to the compromised system, the attacker can carry out a wide variety of harmful operations, such as the theft of sensitive data, the distribution of more malware, or the performance of network surveillance on the victim’s system.
In addition to Geacon being distributed via SecureLink.app and SecureLink_Client, there have been observations of other programs doing so. Users are tricked into installing these programs by the deception that they are secure file transfer utilities when they are not. After it has been installed, Geacon will be deployed. This will let the attacker take remote control of the infected MacBook and carry out whatever instructions they choose.
Some important points about SecureLink.app and SecureLink_Client are as follows:
Both SecureLink.app and SecureLink_Client deceive users into believing they are real file transfer programs, capitalizing on their faith in safe information exchange.
These programs frequently replicate the style and operation of legitimate file transfer utilities, giving the impression that they are trustworthy and professional.
Users might be led astray into downloading and installing SecureLink.app and SecureLink_Client under the false impression that they are performing the essential steps to ensure the safety of their file transfers.
Geacon, once installed, establishes a covert deployment within the apps and a backdoor link to the command and control infrastructure of the attacker.
The malicious actor takes remote control of the infected MacBook, allowing them to carry out arbitrary operations, steal data, and move throughout the network laterally.
Geacon
6831d9d76ca6d94c6f1d426c1f4de66230f46c4a
752ac32f305822b7e8e67b74563b3f3b09936f89
bef71ef5a454ce8b4f0cf9edab45293040fc3377
c5c1598882b661ab3c2c8dc5d254fa869dadfd2a
e7ff9e82e207a95d16916f99902008c7e13c049d
fa9b04bdc97ffe55ae84e5c47e525c295fca1241
Observed Geacon C2s
47.92.123.17
13.230.229.15
BundleIdentifiers
com.apple.ScriptEditor.id.1223
com.apple.automator.makabaka
Suspicious File Paths
~/runoob.log
There are no special procedure to protect your MacBook from Geacon. You should follow some of the helpful tips to protect your MacBook from Geacon:
Block the IOCs on all security devices
Keep Your Operating System and Applications Up-to-Date
Exercise Caution when Downloading and Installing Software
Enable Automatic Updates and Security Features
Use a Trustworthy Antivirus and Antimalware Solution
Exercise Caution with Email Attachments and Downloads
Maintain a High Standard of Good Password Hygiene
Regularly Back Up Your Data
Maintain an Up-to-Date Knowledge Base and Educate Yourself
Maintaining vigilance and protecting your MacBook from new dangers such as Geacon, a Go implementation of Cobalt Strike Beacon, is of the utmost importance. This is because the landscape of cybersecurity is always shifting.
You can improve the security of your MacBook and lessen the likelihood of falling prey to Geacon or other forms of malware by putting into practice the recommendations in this blog post. Some of these tips include keeping your operating system up to date, using extreme caution when downloading software, and adhering to strict password hygiene guidelines.
Remember that the most important things you can do to safeguard your digital life from the ever-evolving cybersecurity dangers are to take preventative steps and have a security-conscious mentality.
We hope this post would help you know how to protect your MacBook from Geacon- a Go implementation of Cobalt Strike Beacon. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.