Hackers have begun using a fork of the popular cybersecurity and penetration testing tool Cobalt Strike to launch attacks against Macs.
According to a blog post (opens in new tab) from the cybersecurity firm SentinelOne, hackers are now leveraging Geacon which is a Go-based implementation of Cobalt Strike to target Macs running both Intel and Apple’s own chips. This makes sense as hackers have been leveraging Cobalt Strike to launch attacks against Windows systems for years now.
First uploaded to GitHub four years ago, hackers didn’t pay much attention to Geacon at the time, says BleepingComputer (opens in new tab). However, when anonymous Chinese developers released two forks of the cybersecurity tool on the code-sharing site, it finally caught their attention.
If you use one of the best MacBooks or another Apple computer, you need to be extra careful when checking your inbox as attacks that use Geacon are currently being spread through malicious attachments.
Geacon payload disguised as a resume
So far, SentinelOne has discovered two cases of Geacon being deployed maliciously thanks to the site VirusTotal (opens in new tab), which is used to analyze suspicious files and websites for malware.
The first of which is an AppleScript applet file that at first glance, appears to be a resume belonging to a person named Xu Yiqing. It’s designed to confirm that it is running on a system running macOS before it downloads an unsigned ‘Geacon Plus’ payload from a command and control (C&C) server located in China.
SentinelOne notes in its report on the matter that this C&C server has previously been used in Cobalt Strike attacks targeting Windows PCs. The malicious Geacon payload downloaded in these attacks can encrypt and decrypt data as well as download additional payloads and exfiltrate data from a compromised Mac.
Meanwhile, the second payload is a trojanized version of the SecureLink app which is used for secure remote support. However, in this case, it has been renamed as Geacon Pro.
Once launched, the app requests access to a Mac’s camera, microphone, contacts, photos, reminders and even admin privileges. Although these are usually considered risky permissions to enable, the fact that this malicious app masquerades as SecureLink, which is made by Apple itself, means unsuspecting users are more likely to grant these invasive permissions.
With access to a Mac’s hardware and data, hackers can steal all kinds of information from victims and they can even take pictures and spy on them. This could be used for blackmail or even to commit identity theft.
How to stay safe from Mac malware
When it comes to staying safe from Mac malware, just like on Windows, you want to avoid opening attachments from unknown senders when they arrive in your inbox. While a file may seem harmless at first, there’s no telling if it’s actually hiding malware or, like in this case, may be communicating with a hacker-controlled C&C server.
Even though Macs do come with Apple’s own antivirus software in the form of XProtect and Gatekeeper, installing one of the best Mac antivirus software solutions on your Mac can provide extra protection against malware and other cyberattacks.
Now that hackers are using Geacon to target Macs, there will likely be other similar attacks leveraging this open-source security tool going forward. Hopefully, Apple bolsters macOS’ defenses to better protect against them.