Hackers have begun using a fork of the popular cybersecurity and penetration testing tool Cobalt Strike to launch attacks against Macs.
According to a blog post from the cybersecurity firm SentinelOne, hackers are now leveraging Geacon which is a Go-based implementation of Cobalt Strike to target Macs running both Intel and Apple’s own chips. This makes sense as hackers have been leveraging Cobalt Strike to launch attacks against Windows systems for years now.
First uploaded to GitHub four years ago, hackers didn’t pay much attention to Geacon at the time, says BleepingComputer. However, when anonymous Chinese developers released two forks of the cybersecurity tool on the code-sharing site, it finally caught their attention.
If you use one of the best MacBooks or another Apple computer, you need to be extra careful when checking your inbox as attacks that use Geacon are currently being spread through malicious attachments.
Geacon payload disguised as a resume
So far, SentinelOne has discovered two cases of Geacon being deployed maliciously thanks to the site VirusTotal, which is used to analyze suspicious files and websites for malware.
The first of which is an AppleScript applet file that at first glance, appears to be a resume belonging to a person named Xu Yiqing. It’s designed to confirm that it is running on a system running macOS before it downloads an unsigned ‘Geacon Plus’ payload from a command and control (C&C) server located in China.
SentinelOne notes in its report on the matter that this C&C server has previously been used in Cobalt Strike attacks targeting Windows PCs. The malicious Geacon payload downloaded in these attacks can encrypt and decrypt data as well as download additional payloads and exfiltrate data from a compromised Mac.
Meanwhile, the second payload is a trojanized version of the SecureLink app which is used for secure remote support. However, in this case, it has been renamed as Geacon Pro.
Once launched, the app requests access to a Mac’s camera, microphone, contacts, photos, reminders and even admin privileges. Although these are usually considered risky permissions to enable, the fact that this malicious app…