uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-05-16 17:17:45

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Hackers Target Apple macOS Systems with a Golang Version of Cobalt

Capture.png
Geacon, a Cobalt Strike implementation written in Golang, is likely to attract the attention of threat actors aiming to compromise Apple macOS systems.

SentinelOne's findings confirm this after it noticed an increase in the quantity of Geacon payloads that have been detected on VirusTotal lately.

According to a report by security researchers Phil Stokes and Dinesh Devadoss, some of these "are probably red-team operations, but others bear the characteristics of genuine malicious attacks.".

Fortra created Cobalt Strike, a well-known red teaming and adversary simulation tool. Due to their many capabilities, threat actors have long abused illegally cracked versions of the software.

While Cobalt Strike's post-exploitation activity has primarily targeted Windows, attacks against macOS are relatively infrequent.

A Cobalt Strike Beacon was dropped onto compromised Windows, macOS, and Linux hosts by a malicious Python package called "pymafka," according to information released by software supply chain company Sonatype in May 2022.

However, if Geacon artifacts start to appear in the wild, that might change. Since February 2020, GitHub has hosted Geacon, a Cobalt Strike variant written in Go.

Additional investigation into two fresh VirusTotal samples uploaded in April 2023 has linked them to two Geacon variants (geacon_plus and geacon_pro) created in late October by two unidentified Chinese developers, z3ratu1 and H4de5.

The geacon_pro project is no longer viewable on GitHub, but an Internet Archive snapshot taken on March 6, 2023 reveals its capacity to get past antivirus programs like Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

"Cobalt Strike.".
According to H4de5, the creator of geacon_pro, the tool is primarily made to support CobaltStrike versions 4.1 and later, whereas geacon_plus supports CobaltStrike version 4.0. Version 4.8 of the program is currently available.

The Curriculum Vitae of Xu Yiqing is 20230320. One of the artifacts found by SentinelOne, app, uses a run-only AppleScript to connect to a remote server and download a Geacon payload. It works with both Intel and Apple silicon architectures.

The researchers noted that "the unsigned Geacon payload is retrieved from an IP address in China.". The user is shown a two-page decoy document that is embedded in the Geacon binary before it starts its beaconing activity. The resume for a person named "Xu Yiqing" is displayed in a PDF document that has been opened. '".

The Geacon binary, created by compiling the geacon_plus source code, includes a wide range of features that enable it to download next-stage payloads, exfiltrate data, and improve network communications.

According to the cybersecurity company, the second sample is contained within a trojanized app that poses as the SecureLink remote support app (SecureLink). app) that primarily targets Intel-based devices.

The basic, unsigned application asks users for their consent to access contacts, pictures, reminders, the camera, and microphone on the device. The Geacon payload from the geacon_pro project, which connects to a known command-and-control (C2) server in Japan, is the main element of the attack.

The development comes at a time when the macOS ecosystem is being targeted by a wide range of threat actors, including state-sponsored organizations, in order to introduce backdoors and data thieves.

The researchers stated that security teams "should be paying attention to this tool and making sure that they have protections in place" given the increase in Geacon samples over the past few months.

Offline

#2 2023-05-16 22:41:27

oba
Member
Registered: 2023-01-13
Posts: 1,869

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

The information shared here is totally serious but I wonder why would anyone develop something that could be used to get past antivirus programs like Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

Offline

#3 2023-05-16 22:46:49

full
Member
Registered: 2023-01-06
Posts: 2,616

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

oba;8730 wrote:

The information shared here is totally serious but I wonder why would anyone develop something that could be used to get past antivirus programs like Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

You will be surprised if I tell you that most of the people that developed the application that could be a threat are doing it for fun while some do it to show their supremacy in the technology space.

Offline

#4 2023-05-16 22:48:53

joanna
Member
Registered: 2023-01-10
Posts: 3,896

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

full;8732 wrote:
oba;8730 wrote:

The information shared here is totally serious but I wonder why would anyone develop something that could be used to get past antivirus programs like Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

You will be surprised if I tell you that most of the people that developed the application that could be a threat are doing it for fun while some do it to show their supremacy in the technology space.

Meanwhile, we have a situation where some develop it based on their curiosity and I think it will be awesome if the antivirus program creator companies could hire them and make use of their knowledge to develop strong antivirus applications.

Offline

#5 2023-05-16 22:53:16

level
Member
Registered: 2023-01-19
Posts: 1,844

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

joanna;8733 wrote:
full;8732 wrote:
oba;8730 wrote:

The information shared here is totally serious but I wonder why would anyone develop something that could be used to get past antivirus programs like Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

You will be surprised if I tell you that most of the people that developed the application that could be a threat are doing it for fun while some do it to show their supremacy in the technology space.

Meanwhile, we have a situation where some develop it based on their curiosity and I think it will be awesome if the antivirus program creator companies could hire them and make use of their knowledge to develop strong antivirus applications.

No matter the reason behind the creation of the application, the sad truth is that some bad actors will seize advantage of the application and use it for their own selfish gain. I hope the application is not made available to the public.

Offline

#6 2023-05-16 22:57:29

joanna
Member
Registered: 2023-01-10
Posts: 3,896

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

level;8735 wrote:
joanna;8733 wrote:
full;8732 wrote:

You will be surprised if I tell you that most of the people that developed the application that could be a threat are doing it for fun while some do it to show their supremacy in the technology space.

Meanwhile, we have a situation where some develop it based on their curiosity and I think it will be awesome if the antivirus program creator companies could hire them and make use of their knowledge to develop strong antivirus applications.

No matter the reason behind the creation of the application, the sad truth is that some bad actors will seize advantage of the application and use it for their own selfish gain. I hope the application is not made available to the public.

From what I read the application which is called the geacon_pro project is no longer available on GitHub. I believe it was already removed by the z3ratu1 and H4de5 which are the developer that create the application.

Offline

#7 2023-05-16 23:00:23

full
Member
Registered: 2023-01-06
Posts: 2,616

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

joanna;8737 wrote:
level;8735 wrote:
joanna;8733 wrote:

Meanwhile, we have a situation where some develop it based on their curiosity and I think it will be awesome if the antivirus program creator companies could hire them and make use of their knowledge to develop strong antivirus applications.

No matter the reason behind the creation of the application, the sad truth is that some bad actors will seize advantage of the application and use it for their own selfish gain. I hope the application is not made available to the public.

From what I read the application which is called the geacon_pro project is no longer available on GitHub. I believe it was already removed by the z3ratu1 and H4de5 which are the developer that create the application.

Yes, the geacon_pro project is no longer viewable on GitHub, but don't forget the application was said to be archived which I believe that version can't be taken down or removed from the internet.

Offline

#8 2023-05-16 23:02:48

level
Member
Registered: 2023-01-19
Posts: 1,844

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

full;8738 wrote:
joanna;8737 wrote:
level;8735 wrote:

No matter the reason behind the creation of the application, the sad truth is that some bad actors will seize advantage of the application and use it for their own selfish gain. I hope the application is not made available to the public.

From what I read the application which is called the geacon_pro project is no longer available on GitHub. I believe it was already removed by the z3ratu1 and H4de5 which are the developer that create the application.

Yes, the geacon_pro project is no longer viewable on GitHub, but don't forget the application was said to be archived which I believe that version can't be taken down or removed from the internet.

If that's the situation. The antivirus company hires the z3ratu1 and H4de5 developers to develop an upgrade antivirus that the Geacon pro can't be the right step.

Offline

#9 2023-05-17 19:16:24

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

level;8741 wrote:
full;8738 wrote:
joanna;8737 wrote:

From what I read the application which is called the geacon_pro project is no longer available on GitHub. I believe it was already removed by the z3ratu1 and H4de5 which are the developer that create the application.

Yes, the geacon_pro project is no longer viewable on GitHub, but don't forget the application was said to be archived which I believe that version can't be taken down or removed from the internet.

If that's the situation. The antivirus company hires the z3ratu1 and H4de5 developers to develop an upgrade antivirus that the Geacon pro can't be the right step.

I believe antivirus companies like Kaspersky have already done the needful by now because they are one of the antivirus companies that always work around the clock and do some upgrades to their service.

Offline

#10 2023-05-20 19:28:50

Comrade
Member
From: Utopia App Client
Registered: 2022-12-30
Posts: 2,385

Re: Hackers Target Apple macOS Systems with a Golang Version of Cobalt

thrive;8875 wrote:
level;8741 wrote:
full;8738 wrote:

Yes, the geacon_pro project is no longer viewable on GitHub, but don't forget the application was said to be archived which I believe that version can't be taken down or removed from the internet.

If that's the situation. The antivirus company hires the z3ratu1 and H4de5 developers to develop an upgrade antivirus that the Geacon pro can't be the right step.

I believe antivirus companies like Kaspersky have already done the needful by now because they are one of the antivirus companies that always work around the clock and do some upgrades to their service.

They are really modernizing and i really love the way the app help in eradicatong bugs n corrupted files in the system....

Offline

Board footer

Powered by FluxBB