Geacon Malware Targets Macs

Geacon emerged on Github about four years ago as an implementation of Cobalt Strike Beacon using the Go programming language. While it had been widely forked, SentinelOne hadn't detected its deployment against macOS targets until recently.

Our analysis of the payloads found on VirusTotal indicates a shift in popularity towards two Geacon forks developed by an anonymous Chinese developer who goes by the handle "z3ratu1." In a blog post from late October 2022, z3ratu1 mentioned stumbling upon the Geacon project during a shopping trip, sparking interest in its development guide. Soon after, the first Mach-O Geacon payload was submitted to VirusTotal on November 10 of the same year.

By April of this year, z3ratu1's public projects, geacon_plus and geacon_pro (which may potentially be available for purchase), had garnered nearly 1,000 stars. These projects were added to the 404 Starlink project, a public repository maintained by the Zhizhi Chuangyu Laboratory, dedicated to open source red-team and penetration tools. During that same month, two distinct Geacon payloads were submitted to VirusTotal, one of which exhibited signs of a genuinely malicious campaign.

Geacon Spread Using Two Separate Versions

Geacon exists in two versions: one compiled exclusively for Apple-Intel architecture, and another that also supports Apple silicon. This malware is compatible with macOS versions ranging from OS X 10.9 Mavericks up to the latest releases.

Geacon possesses various functionalities, such as communication and command reception, espionage, data theft, and the ability to download/install additional malicious programs or components. To operate effectively, this malicious software requires the user to grant it administrator privileges.

Furthermore, Geacon seeks permission to access the device's camera, microphone, and various other data like images, photos, and contacts. The malware's control over these device features presents the risk of recording video or audio, which could potentially be exploited for nefarious purposes, such as blackmail.

How Has the Mac Malware Landscape Changed in Recent Years

In recent years, there has been a noticeable surge in the frequency of malware attacks targeting Mac devices. Historically known for their robust security and lower susceptibility to viruses, Mac computers have enjoyed a reputation for being relatively safe from malicious software.

However, as the popularity of Macs continues to rise, cybercriminals have recognized the potential for profit and have shifted their focus towards exploiting vulnerabilities in Apple's ecosystem. This shift has resulted in a steady increase in malware attacks, ranging from adware and ransomware to sophisticated phishing schemes specifically tailored to Mac users.

As a result, Mac users now face a heightened need for vigilance and proactive security measures to safeguard their devices and personal data from these evolving threats.