The increase in attacks on Apple’s OS, while not completely unusual, is not the norm. Attackers prefer to target Windows systems for a variety of reasons including having a much larger footprint, more vulnerabilities in the core OS, and increased exposure once you install anything on it. That being said, the threat landscape is changing, slowly but significantly. Linux and macOS systems are being targeted with increasing regularity and multi-platform loaders are being discovery in darker places on the internet as well as in the wild.
Geacon, is not a new concept or code base. It has been around since early 2020 and can be found on GitHub for those that are interested. What is concerning is that new variants have shown up in April of 2023 tied to what appear to be Chinese developers. These variants can, in theory, get around antimalware software on MacOS including Microsoft Defender and Kaspersky. The two versions, gaecon_plus and geacon_pro support CobaltStrike versions 4.1 and up, and 4.0 respectively.
The two newly identified variants use similar methods of intrusion with slightly different moving parts. One is what appears to be a resume, (PDF) that contains an unsigned run only AppleScript. This script reaches out to a server containing the geacon beacon. The script works on both Apple and Intel hardware. The second seems geared towards Intel devices and uses a fake remote support app to gain access. It asks the targeted user to grant permissions to contacts, photos, reminders, camera, and mic on the device, this is in addition to the installation of the geacon beacon.
Both variants are dangerous and appear to be part of a ramping up of targeting systems outside of the Windows family. This increase has been seen across the board and comes from nation-state and general cyber crime groups. Apple’s macOS has never been malware resistant just as Linux hasn’t. These two operating systems have, for the most part, enjoyed targeting by threat actors simply because the payoff was not as great as targeting Windows systems. All of that is changing now, and organizations with a macOS footprint should be aware of this and take the proper steps to ensure they can detect and prevent new efforts targeting this once ignored ecosystem.