Skip to main content

In the constantly shifting world of modern cybersecurity, threat actors consistently create new methods and tools to penetrate and corrupt networks. Geacon is one example of this tool; it is an infamous implementation of the Cobalt Strike Beacon in the Go programming language. 

The purpose of this blog article is to give a complete knowledge of Geacon, its consequences for users of MacBooks, as well as concrete methods for protecting your MacBook against a complex attack.

About Go-Lang

The Go language is an open-source high-level programming language developed by Google. Google designed Golang in a manner similar to the C language, leading to its nickname as the “C for the 21st century.” If you’re familiar with C, you won’t have much trouble learning Go, as it utilizes a syntax similar to C’s. Along with this shared syntax, it provides virtually everything that C does. The execution time for programs is the same for both languages, and they perform comparably in terms of efficiency. Go also offers similar hardware accessibility features as C. You might wonder, if all this is the same, why do we need Golang? The answer lies in Go’s extensive libraries. The wealth of libraries and a neat package management system make this language more efficient for writing complex programs.

What is Cobalt Strike Beacon?

Cobalt Strike is a legitimate commercial software used for penetration testing and red teaming exercises. It’s designed to simulate advanced persistent threat (APT) attacks on an organization’s network to test its defenses.

One of the main components of Cobalt Strike is the “Beacon,” a payload that allows the tester (or in malicious use cases, the attacker) to maintain persistent access to the compromised systems. The Beacon is a lightweight payload designed for long-term operations and stealth. It communicates back to the Cobalt Strike server, allowing the operator to control the infected machine.

Key features of the Beacon include:

  1. Command and Control: Beacon communicates with the Cobalt Strike server, receiving tasks and sending back results. It can communicate over various protocols, including HTTP, HTTPS, DNS, and more, and it’s designed to mimic legitimate traffic to evade detection.
  2. Stealth and Persistence: Beacon is designed to be stealthy and to maintain access over long periods. It has a low network footprint, and it can sleep and wake up at scheduled intervals to further avoid detection.
  3. Lateral Movement: A beacon can be used to move laterally across a network, infecting other machines and expanding the operator’s control.
  4. Task Execution: Beacon can execute tasks on the compromised machine, such as gathering system information, capturing keystrokes, taking screenshots, and more.

Cobalt Strike’s Beacon payload is written in Java. The server-side software that interacts with the Beacon is also predominantly written in Java. However, Beacon can execute payloads and scripts in various languages on compromised hosts, such as PowerShell, JavaScript, and shellcode, depending on the situation and the needs of the operator. The versatility of Cobalt Strike’s Beacon payload is one of the reasons why it is a popular choice for both legitimate penetration testing and malicious cyber attacks.

Introduction to Geacon, A Go Implementation of Cobalt Strike Beacon

Geacon is a malicious Cobalt Strike Beacon payload that was developed using the Go programming language. It provides threat actors remote access and control over the compromised system, enabling them to execute instructions, steal data, and engage in other malicious operations as like as Beacons.

Geacon- SentinelOne

Image Source: SentinelOne

In recent weeks, experts in the field of cybersecurity working for SentinelOne discovered two instances of the Geacon malware being utilized in targeted assaults on macOS systems. It was determined that these instances were Xu Yiqing’s Resume_20230320.app, SecureLink.app, and SecureLink_Client. Both apps were deftly camouflaged as legal software, making it exceedingly difficult to identify the existence of Geacon in the system.

Xu Yiqing’s Resume_20230320.app

An application known as Xu Yiqing’s Resume_20230320.app is a forgery that pretends to be the résumé of a nonexistent person. Geacon is stealthily deployed in the background when unwary users download and launch this program. This establishes a covert communication channel with the attacker’s command-and-control infrastructure. This grants the attacker total control over the MacBook, enabling them to engage in various harmful operations without fear of being discovered.

Following are some key points to keep in mind: 

  • Phishing emails and websites infiltrated are common vectors for distributing the malicious program known as Xu Yiqing’s Resume_20230320.app.
  • The user can be fooled into believing that the resume file is genuine since it contains a well-prepared profile of the made-up person to get them to download and open the file.
  • Geacon is covertly installed on the user’s computer without their knowledge or agreement. It does this by disguising itself as part of the application being used.
  • Geacon will permanently connect with the attacker’s command-and-control infrastructure during installation. This connection will allow the attacker to continue to exercise control over the infected MacBook.
  • After gaining access to the compromised system, the attacker can carry out a wide variety of harmful operations, such as the theft of sensitive data, the distribution of more malware, or the performance of network surveillance on the victim’s system.

SecureLink.app and SecureLink_Client

In addition to Geacon being distributed via SecureLink.app and SecureLink_Client, there have been observations of other programs doing so. Users are tricked into installing these programs by the deception that they are secure file transfer utilities when they are not. After it has been installed, Geacon will be deployed. This will let the attacker take remote control of the infected MacBook and carry out whatever instructions they choose.

Some important points about SecureLink.app and SecureLink_Client are as follows: 

  • Both SecureLink.app and SecureLink_Client deceive users into believing they are real file transfer programs, capitalizing on their faith in safe information exchange.
  • These programs frequently replicate the style and operation of legitimate file transfer utilities, giving the impression that they are trustworthy and professional.
  • Users might be led astray into downloading and installing SecureLink.app and SecureLink_Client under the false impression that they are performing the essential steps to ensure the safety of their file transfers.
  • Geacon, once installed, establishes a covert deployment within the apps and a backdoor link to the command and control infrastructure of the attacker.
  • The malicious actor takes remote control of the infected MacBook, allowing them to carry out arbitrary operations, steal data, and move throughout the network laterally.

 

See Also What Is Command Injection Vulnerability? And How To Prevent It?

Indicators of Compromise

Geacon

6831d9d76ca6d94c6f1d426c1f4de66230f46c4a

752ac32f305822b7e8e67b74563b3f3b09936f89

bef71ef5a454ce8b4f0cf9edab45293040fc3377

c5c1598882b661ab3c2c8dc5d254fa869dadfd2a

e7ff9e82e207a95d16916f99902008c7e13c049d

fa9b04bdc97ffe55ae84e5c47e525c295fca1241

Observed Geacon C2s

47.92.123.17

13.230.229.15

BundleIdentifiers

com.apple.ScriptEditor.id.1223

com.apple.automator.makabaka

Suspicious File Paths

~/runoob.log

Tips to Protect Your MacBook from Geacon:

There are no special procedure to protect your MacBook from Geacon. You should follow some of the helpful tips to protect your MacBook from Geacon: 

  • Block the IOCs on all security devices
  • Keep Your Operating System and Applications Up-to-Date
  • Exercise Caution when Downloading and Installing Software
  • Enable Automatic Updates and Security Features
  • Use a Trustworthy Antivirus and Antimalware Solution
  • Exercise Caution with Email Attachments and Downloads
  • Maintain a High Standard of Good Password Hygiene
  • Regularly Back Up Your Data
  • Maintain an Up-to-Date Knowledge Base and Educate Yourself

Conclusion

Maintaining vigilance and protecting your MacBook from new dangers such as Geacon, a Go implementation of Cobalt Strike Beacon, is of the utmost importance. This is because the landscape of cybersecurity is always shifting. 

You can improve the security of your MacBook and lessen the likelihood of falling prey to Geacon or other forms of malware by putting into practice the recommendations in this blog post. Some of these tips include keeping your operating system up to date, using extreme caution when downloading software, and adhering to strict password hygiene guidelines. 

Remember that the most important things you can do to safeguard your digital life from the ever-evolving cybersecurity dangers are to take preventative steps and have a security-conscious mentality.

Leave a Reply