CTI Notification: Unmasking Geacon: How Cybercriminals Target macOS Users
Breakdown
SentinelOne has released a blog post detailing the technical specifications and uptick in activity of a Cobalt Strike red teaming tool written in Go, named Geacon. Geacon was created four years ago, but last fall an anonymous Chinese developer named “z3ratu1” created two new repositories. One is public and one is private, with the private repo (per SentinelOne) also possibly for sale. They are now seeing this code show up in VirusTotal results and the projects have been added to a public repo site named 404 Starlink project.
Overview
Cobalt Strike is a very well-known red team toolset used worldwide by security teams for penetration testing and red-team engagements. This activity, by its very nature, is going to look exactly like an actual malicious attack. In this case, some uses of this new Geacon version are likely to be valid use cases by security teams, but the uptick of activity points to a need to raise awareness around the software and the targeting of MacOS in particular. In the past, Cobalt Strike has been used to target primarily Windows based systems and attacks against MacOS machines are still rarely seen.
Recommendation
Security teams need to maintain a general awareness of new developments in attack focused tools. Defenders should read through the entire research report presented by SentinelOne to become familiar with the technical details. The included indicators of compromise in the report can be used by security teams to tune monitoring tools and for proactive threat hunting within their own corporate environments.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this ongoing event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
