Geacon Mac Malware

According to cybersecurity researchers, the Geacon Malware is an implementation of the Cobalt Strike beacon, built using the Go programming language. The threat has emerged as a potent threatening tool for targeting macOS devices. While Geacon and Cobalt Strike were originally designed as legitimate utilities used by organizations to test their network security through simulated attacks, evil-minded actors have increasingly exploited them for various nefarious activities.

For years, threat actors have taken advantage of Cobalt Strike to compromise Windows systems, leading the cybersecurity industry to combat this persistent threat continually. However, the recent rise in the usage of Geacon highlights the expanding scope of attacks targeting macOS devices. This signifies the need for enhanced vigilance and proactive measures to counter the evolving tactics employed by threat actors leveraging these tools. Details about the Geacon Malware and its harmful capabilities were released in a report by the researchers that have been monitoring the threat's activity.

Two Variants of the Geacon Malware Observed in the Wild

The first file associated with Geacon is an AppleScript applet named 'Xu Yiqing's Resume_20230320.app.' Its purpose is to verify that it is indeed running on a macOS system. Once this has been confirmed, the file proceeds to retrieve an unsigned payload known as 'Geacon Plus' from the attackers' Command-and-Control (C2) server, which has an IP address originating from China.

The specific C2 address (47.92.123.17) has been previously linked to Cobalt Strike attacks targeting Windows machines. This association suggests a potential connection or similarity between the infrastructure of the observed attack and previous instances of Cobalt Strike activity.

Prior to initiating its 'beaconing activity,' the payload employs a deceptive tactic to mislead victims by displaying a decoy PDF file. The displayed document masquerades as a resume belonging to an individual named Xy Yiqing, aiming to divert the victim's attention from the threatening actions that the malware is performing in the background.

This specific Geacon payload possesses a range of capabilities, including supporting network communications, performing data encryption and decryption functions, enabling the download of additional payloads, and facilitating the exfiltration of data from the compromised system.

The Geacon Malware Hiding Inside Trojanized Application

The second Geacon Malware payload is deployed through SecureLink.app and SecureLink_Client, modified versions of the legitimate SecureLink application used for secure remote support. However, this trojanized version includes a copy of the 'Geacon Pro' malware. This particular payload specifically targets Intel-based Mac systems running OS X 10.9 (Mavericks) or later versions.

Upon launching the application, it requests various permissions, including access to the computer's camera, microphone, contacts, photos, reminders and even administrator privileges. These permissions are typically protected by Apple's Transparency, Consent, and Control (TCC) privacy framework and granting them poses significant risks.

However, despite the high level of risk associated with these permissions, they are not that unusual for the type of application that the Geacon Malware is masquerading as, easing the user's suspicions and tricking them into granting the requested permissions. According to the available information, this Geacon Malware variant communicates with a C2 server located in Japan, with the IP address 13.230.229.15.

In rthe last years, there has been a noticeable increase in malware attacks targeting Mac devices. This rise can be attributed to the growing popularity of Mac computers and the misconception that they are immune to malware. Cybercriminals have recognized the potential value in targeting Mac users, leading to the development and deployment of more sophisticated and targeted malware specifically designed for macOS systems. Naturally, this necessitates increased vigilance from Mac users and the implementation of sufficient security measures to protect their devices from malware infections.