CTI Roundup: Hackers target macOS systems with Cobalt Strike

This week we look at a Sentinel One report which reveals a recent uptick in the number of Geacon payloads being submitted to the VirusTotal malware scanning platform. Next up is an overview of a Proofpoint report on Microsoft’s decision last year to disable macros by default in documents originating from the internet, and its impact on the cyber threat landscape. Finally, CTI looks at a new report from Check Point about how cybercriminals are targeting the Microsoft VSCode Marketplace. Three malicious Visual Studio extensions have reportedly been uploaded to the Marketplace which, at time of publication, had been downloaded 46,600 times by Windows developers.

1. Hackers use Golang variant of Cobalt Strike to target macOS systems

SentinelOne has observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months.

Organizations commonly use Geacon — a Golang implementation of Cobalt Strike — along with Cobalt Strike for red team engagements. As it turns out, threat actors are also using Geacon during attacks.

Here is some background information on Geacon:

• Geacon first appeared several years ago on GitHub as a Go variant of Cobalt Strike Beacon. Although it has been around for some time, SentinelOne had not observed it being deployed on macOS targets until recently.
• SentinelOne analyzed the Geacon payloads on VirusTotal and noticed what appears to be an upward shift in popularity of two Geacon forks developed by an anonymous Chinese developer.
• The developer behind Geacon uses the handle z3ratu1 and noted in late October 2022 that, “one day I just went shopping and saw this project geacon, so this toy project and its development guide appeared.” The first Geacon payload was submitted to VirusTotal shortly after the developer’s post.
• By April 2023, the public geacon_plus and the private (and potentially for sale?) geacon_pro projects (both developed by the same individual) had earned close to 1,000 stars. The projects were also added to the 404 Starlink project, which is a public repository of open-source red team and penetration testing tools. During this same time, two different Geacon payloads were submitted to VirusTotal that triggered SentinelOne’s investigation.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While it’s likely that some of SentinelOne’s observations are part of legitimate red team/penetration testing use, it’s also just as likely that threat actors are also making use of this tool as part of malicious attacks.’

“We’ve seen just how popular Cobalt Strike is among cyber threat actors, and the observed uptick in Geacon samples being uploaded to VirusTotal certainly makes one wonder if Geacon will become the next tool of choice for threat actors.”

2. Cybercriminals adapt to Microsoft’s macro-blocking feature

Proofpoint reports that Microsoft’s February 2022 decision to disable macros by default in documents originating from the internet has forced cybercriminals to develop vastly different attack chains.

Microsoft announced it would begin blocking XL4 and VBA macros by default for Office users in October 2021 and February 2022 respectively. The changes began rolling out in 2022.

The introductory paragraph of Proofpoint’s report does a good job of explaining just how impactful Microsoft’s decision to block macros by default has been:

“The cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers. Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.”

The software giant’s move forced virtually every node of the cyber threat actor food chain — from small-crime commodity actors to the most experienced cybercriminals — to drastically change the way they conduct business.

Key findings from the report

Thanks to Proofpoint’s vantage point into its telemetry and its ability to analyze billions of messages daily, the vendor is uniquely positioned to extract some significant findings about the cyber threat landscape.

Among those findings:

• Major cybercrime actors now use increasingly diverse sets of tactics, techniques, and procedures.
• Initial access brokers and other threat actors often “follow the leader” in using various techniques.
• Defenders must rapidly respond to the ever-changing threat landscape in a way previously unobserved by researchers.
• Some major cybercriminal actors have the resources available to research and develop new, complicated attack chains.

The shift begins

Prior to 2022, macros were the weapon of choice for cybercriminals seeking to weaponize lure documents with malicious scripts designed to facilitate the download of initial-access malware payloads onto targeted systems during email phishing campaigns.

From Proofpoint:

VBA macros are used by threat actors to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application but can also be weaponized by threat actors. Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.

In the time since Microsoft implemented the macros-blocking policy, Proofpoint’s reporting has continuously highlighted the various new ways in which threat actors had begun to shift away from the use of macros.

Such techniques included:

• The use of archive files, such as ISO attachments, to deliver malware. This technique was leveraged by cybercriminals seeking to bypass Microsoft’s check for files’ mark-of-the-web (MOTW) attributes, which the software giant used to block macros in documents downloaded from the internet.
• The use of shortcut or LNK files were also favored — at least initially — as a technique by a wide range of cybercriminals. This tactic was especially popular among various actors classified as IABs. From Proofpoint:

“Proofpoint observed LNK attachments used by at least eight large ecrime threat actors considered IABs, with their use peaking in June and September 2022 before the actors began pivoting to new TTPs.”

• XLL files — a type of dynamic link library (DLL) file for Excel designed to increase the application’s functionality — also began to see use among large ecrime actors. Eventually, Proofpoint “observed at least six large ecrime actors experiment with XLL files in malware delivery, and multiple unattributed threat clusters, but XLL files are used significantly less than other filetypes and have not experienced a notable uptick in use across the threat landscape.”
• HTML smuggling has also increased significantly among Proofpoint’s observed campaign data since 2022. Just as the name suggests, this strategy involves “smuggling” an encoded script within a seemingly harmless HTML attachment. When opened, the users’ web browser decodes the malicious script intended to assemble the malware payload on the victims’ computer.
• The use of PDF files by various threat actors has been a popular technique since Proofpoint first started tracking threat actors. After Microsoft’s implementation of the macros-blocking policy, Proofpoint’s researchers observed PDF attachments increasingly used by multiple tracked threat actors and known IABs.

Rise of the IABs

Perhaps one of the most significant changes to take place in recent years — and one certainly impacted by Microsoft’s policy — is the increased reliance upon initial access brokers (IABs) by major cybercriminals, ransomware gangs, and other malware operations.

It is common for threat actors to buy access from independent groups of cybercriminals who specialize in the infiltration of high-value targets and sell valuable access to ransomware or other extortionists for a profit.

From Proofpoint:

Typically, IABs are opportunistic threat actors supplying access to affiliates and other cybercrime threat actors after the fact, for example by advertising access for sale on forums. For the purposes of this report, Proofpoint considers IABs to be the groups who obtain initial access via first-stage malware payloads and may or may not work directly with ransomware threat actors. These criminal threat actors compromise victim organizations with first-stage malware like Qbot, IcedID, or Bumblebee, and then sell their access to ransomware operators to deploy data theft and encryption operations.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“As defenses continue to evolve and become more robust, CTI expects that threat actors will continue to experiment with new techniques and malware delivery methods.”

Proofpoint shares these sentiments:

The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity. No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques.

“The ever-increasing pace of adoption of new techniques by today’s cybercriminals holds ramifications for the security professionals doing their best to defend against them. CTI will continue to do its best to stay abreast of the latest trends to emerge from the cyber threat landscape and disseminate them appropriately with our fellow stakeholders.”

3. Malicious VSCode Marketplace extensions steal passwords, open remote shells

A new report from analysts at Check Point reveals that cybercriminals have begun targeting the Microsoft VSCode Marketplace.

Three malicious Visual Studio extensions were reportedly uploaded to the Marketplace, which, at time of publication, had been downloaded 46,600 times by Windows developers.

About the Visual Studio Code Marketplace

Visual Studio Code is a popular, free source code editor offered by Microsoft to Windows developers seeking an efficient and customizable coding environment capable of supporting a significant variety of programming languages, frameworks, and tools.

Microsoft also offers the VSCode Extensions Marketplace, which Check Point describes as a “central hub where developers can discover and install new extensions to enhance their coding experience.” The Marketplace contains official Microsoft and third-party extensions developed by the community, with those extensions currently numbering around 50,000.

These VSCode extensions are add-ons designed to be installed by developers to upgrade the functionality of their editor. They can add new features, facilitate the support of new programming languages, and integrate with external tools and resources.

On the other hand, malicious extensions pose a significant security risk to users in various ways.

Malicious extensions

Malicious VSCode extensions can install malware, steal user data, and perform other harmful actions. According to Check Point, the malware contained in these Visual Studio extensions enabled attackers to steal users’ personally identifiable information (PII) records and install remote shells on victims’ devices.

The extensions were discovered and reported on May 4, 2023, and removed from the Marketplace on May 14. They included “Theme Dracula Dark,” “python-vscode,” and “prettiest java.”

While Check Point also reportedly discovered multiple suspicious extensions — those which could not be described as malicious with a high degree of certainty, but demonstrated unsafe behavior — Microsoft has done a commendable job of implementing several security measures for the VSCode Extensions Marketplace. This includes adding automatic extension scanning tools which detect and remove malicious extensions from the Marketplace and enabling user reviews and ratings to aid in the identification and reporting of malicious extensions.

Check Point asserts that prior to the discovery of the three malicious extensions, virtually no malicious extensions had been published to the Marketplace which were later detected as harmful. However, Check Point also makes a point of emphasizing that the malicious extensions its analysts discovered are not new. Most of them are more than one year old. So, regardless of what types of checks and verifications may be in place, there is always some degree of risk involved with the publication and use of open-source components.

Software repositories and the supply-chain risk

There is always a degree of risk involved with open-source components. The same is true with software repositories that allow user contributions. For example, repositories such as NPM and PyPI have repeatedly been proven to contain inherent risk as they have become increasingly attractive targets for cyber threat actors.

While the addition of the VSCode Marketplace to the list of repositories being targeted by cybercriminals may come as a surprise to some, BleepingComputer pointed out that “AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.”

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“With software supply-chain attacks becoming more frequent and more impactful, it is more important than ever to carefully vet every software component upon which developers rely to do their day-to-day jobs.”

“There is never any guarantee that open-source software packages are safe. The same is true for the repositories that house them.”

---

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.