Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

Published on

Published on

Published on

Jun 27, 2024

Jun 27, 2024

Jun 27, 2024

TABLE OF CONTENTS

Introduction

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows platforms. However, its reach has expanded with Golang implementations known as Geacon and Geacon_Pro. Our research team identified several servers using the default certificate for the latter tool, which was removed from GitHub by the original author but only after being forked many times.

While some team servers may serve benign purposes, many exhibit malicious intent. In this post, we will explore the infrastructure linked to Geacon_Pro and provide insights from a few open directories, shedding light on their operations and the threat they pose to Linux and Windows users.

A Match Made in Go?

GitHub user darkr4y uploaded Geacon to the platform four years ago as a learning project. Since then, the repo has gained over 1k stars and more than 200 forks.

https://app.hunt.io/images/blogs/geacon/figure_1.webp
Figure 1: Screenshot of Geacon README

Geacon_Pro debuted on the code-sharing platform in 2022, uploaded by a user named H4de5-7. This tool version was described as a co-developed project with Z3ratu1, who is also credited with developing Geacon_Plus. According to the developers, Geacon_Pro was transitioned into a private project—potentially for commercial sale—due to concerns over its potential for misuse.

https://app.hunt.io/images/blogs/geacon/figure_2.webp
Figure 2: Geacon_Plus README

Figure 2 displays a screenshot of the Geacon_Plus GitHub page, while Figure 3 shows the default certificate used by Geacon_Pro, which we will use to track the team servers.

https://app.hunt.io/images/blogs/geacon/figure_3.webp
Figure 3: Screenshot of the default certificate of Geacon_Pro

Tracking Geacon_Pro’s Default Certificate

The default certificate for Geacon_Pro is straightforward, making identification relatively easy. The common name "foren.zik" is likely a play on the word forensics or a reference to the antagonist Frederick Gorgote from the show "Happy Appy."

The certificate fields are below:

Country: KZ
Common Name: foren.zik
Organization: NN Fern Sub
Organizational Unit: NN Fern
State: KZ
Validity: 365 days

Our scans across the internet identified a small number of servers using this certificate, which we’ll discuss next.

To illustrate our findings, we’ll use Hunt’s Advanced Search feature and a simple query to look for suspected Geacon_Pro infrastructure. By focusing on the certificate's common name and organization, Hunt finds 12 matching IPs.

The complete query is:

subject.common_name:”foren.zik” AND subject.organization:”NN Fern Sub”

https://app.hunt.io/images/blogs/geacon/figure_4.webp
Figure 4: Snippet of Hunt Advanced Search results for the Geacon_Pro certificate

While many threat actors and even red teamers may opt to use different certificates to evade detection, some still use the default fields to 'blend in.' Relying on default certificates alone is insufficient in attributing their use to Geacon_Pro or any other malware, as the data is publicly available and could be used to host any malicious (or legitimate) software.

The following section will examine a few servers that caught our attention during our research. As you may have noticed, we here at Hunt have an eye for spotting and analyzing data left exposed in directories.

Notable Findings

The first IP we examined did not host the default Geacon_Pro certificate. However, it did host two standard Cobalt Strike team servers on ports 443 and 30011 and an open directory on port 444, as illustrated in Figure 5.

Don’t worry—once we examine the files contained in the directory, the rationale behind our decision will become clear.

https://app.hunt.io/images/blogs/geacon/figure_5.webp
Figure 5: Screenshot of the initial server in our research. Try it out!

Located in the US on the Host Papa ASN, IP address 172.245.53_132 contained an unusual folder named 'dkxtzLeppoUwg676m9Am5gJ'. This directory included a nohup output file and three ELF files: alis, aservice, and grpc, the latter likely intended to spoof Google's remote procedure call framework.

Additionally, files beginning with an 's' are bash scripts, which we will cover first. Figure 6 shows the entire contents of the directory.

https://app.hunt.io/images/blogs/geacon/figure_6.webp
Figure 6: Screenshot of files in open directory at 172.245.53_132 Try it!

Files s1 and s2 are identical to s11 and s12. The primary function of s1 is to download s2 from the likely actor-controlled domain 'down.chinaunion_info' within the previously mentioned oddly named folder.

This script proceeds to create a service that masquerades as the Zabbix Agent, a legitimate network monitoring tool. It then re-initializes the systemctl service, starts the newly created service, and finally removes the script from the system.

https://app.hunt.io/images/blogs/geacon/figure_7.webp
Figure 7: Screenshot of s1 Script

s2 also contacts the same domain and downloads the alis file to the system. The Chinese language comment, '# 清理掉S1名字的服务痕迹,' translates to 'Clean up traces of the service named S1.' The script defines service name variables and saves the download file to /tmp as 'zabbix_agent,' making it executable with the chmod +x command.

The script specifies that the service should start after the network is available, run zabbix_agent, and always restart if it stops. The config ensures the file is run with root privileges and is enabled to start automatically in multi-user mode. Similar to s1, this script also cleans up any remnants created by the previous script.

s2’s contents can be seen below in Figure 8.

https://app.hunt.io/images/blogs/geacon/figure_8.webp
Figure 8: Contents of s2 Script

To recap, we’ve covered two bash scripts that download another script and an ELF file, masquerading as a legitimate network monitoring tool. These files are retrieved from a suspicious domain, likely imitating China Union Pay, the country's largest card payment organization. Next, let's examine the alis file.

https://app.hunt.io/images/blogs/geacon/figure_9.webp
Figure 9: File metadata for alis (Source: VirusTotal)

Using VirusTotal for dynamic analysis, 14 out of 67 security vendors identified alis as an ELF Golang variant of Cobalt Strike. The 'Community' tab can provide valuable comments and insights for additional verification. The command-and-control (C2) server is a CloudFlare IP address linked to another suspicious domain, api.chinaunion_info.

Using the strings command, we can uncover multiple references to the geacon_pro project within the source code.

https://app.hunt.io/images/blogs/geacon/figure_10.webp
Figure 10: Geacon_Pro references in alis source code

Further analysis reveals that the grpc file is a renamed fast reverse proxy binary for Linux. The aservice file is a text file that contains the same configuration data found in s2.

With this analysis, we've wrapped up our examination of this IP address. Below is the metadata for the IP address, domains, and file hashes associated with the open directory.


| Open Directory IP | 172.245.53_132:444 |
| Domains | down.chinaunion_info → 172.67.140_188, 104.21.33_29<br>api.chinaunion_info → 172.67.140_188,104.21.33_29<br>pay.chinaunion_info → 3.230.208_121, 52.1.43_64 |
| s1 SHA-1 Hash | fa21b1c5063d296d3402ff94a34b6b3a9285e59b |
| s2 SHA-1 | d2746e2a30719760583c62b034312e16565e652e |
| alis SHA-1 | cab73e5f990143ed8311d760ceca7bb12e33c0d2 |
| grpc SHA-1 | 20ebea093d50351f686fa80e64f9171e80bf50e8 |
| VirusTotal Link (alis) | Link |

Our next IP, 120.55.74_104, is hosted in China on the Aliyun Computing network and also has an exposed directory on port 8000. This server serves as a prime example of why we cannot rely solely on certificates to draw conclusions about infrastructure. While this server previously hosted the Geacon_Pro certificate, we did not find any associated Geacon_Pro samples at the time of our investigation.

However, we did uncover Linux and Windows binaries with indicators similar to standard Geacon payloads and some variants utilizing Go CLR, a package that allows .NET execution from Go.

https://app.hunt.io/images/blogs/geacon/figure_11.webp
Figure 11: Screenshot of the open directory at 120.55.74_104

To keep this post concise, we'll quickly highlight some of the more interesting files from the directory and share the analysis results from VirusTotal.

https://app.hunt.io/images/blogs/geacon/figure_12.webp

ha.exe, a 64-bit portable executable for Windows compiled in Golang, as shown in Figure 12, presents an intriguing case. It was flagged as malicious by only five security vendors on VirusTotal, with no clear classification into a specific malware family.

Interestingly, the 'Details' tab reveals another submission of the same file, uploaded under the name '2024-06-23_00a1bb75c98662f59f08b3023398d29b_poet-rat_snatch.' Without more context behind this filename, we won’t jump to conclusions and move on.

SHA1: ffc4f2996cca934185bf36355fc4c09aef871435

https://app.hunt.io/images/blogs/geacon/figure_13.webp
Figure 13: Screenshot of analysis results for m_arm64

The file m_arm64 is an ELF 64 executable targeting the ARM architecture. Detection for this sample is more robust, with 20 security vendors identifying it as a variant of Cobalt Strike. The C2 IP address is the same server as above, communicating over port 10443. This file contains references to Go CLR, as mentioned earlier, and "firstblood," seen in the original Geacon repository.

SHA-1: 7fbfb47aee77fd965a5b703c12f5da7505af6fc6

gslll.jsp employs a form of Unicode escape encoding, specifically using the ‘\u’ notation followed by hexadecimal codes to represent characters. This technique is often used to obscure content, making it less immediately readable by the naked eye but still interpreted by systems that understand such sequences.

Figure 14 shows a snippet of the file and encoding.

https://app.hunt.io/images/blogs/geacon/figure_14.webp
Figure 14: Snippet of obfuscated .jsp file

Using a few lines of Python, we can reveal that the file is actually a webshell designed to be uploaded to remote servers. Once deployed, the access can be used to execute commands and upload files. The deobfuscated text is shown below in Figure 15, formatted for readability.

https://app.hunt.io/images/blogs/geacon/figure_15.webp
Figure 15: Deobfuscated file contents of gslll.jsp

Deobfuscating the text reveals an odd comment in the try block, *‘/Z#¥hu@!h83K85eBpZ/’**. The purpose of this text is currently unclear. It could serve as a marker to help the author quickly locate specific sections of the shell, a tactic to bypass simple detection mechanisms, or a method to confuse and mislead defenders and researchers.

SHA-1: 0e6c770f37ce2aa7942dce5350ca1fe781e5f479

Honorable Mention

During our research, we observed IP address 43.136.38_59 hosted in China and part of the Tencent Cloud Computing network. This server hosted a redirect to the domain 360.net, an antivirus company, on port 8443 (as shown below).

https://app.hunt.io/images/blogs/geacon/figure_16.webp
Figure 16: Redirect on port 8443 to 360.net. Check it out

In April, we published a blog post on detecting the RedGuard C2 redirector, which is commonly used with Cobalt Strike to conceal malicious infrastructure. Noticing a familiar pattern in the HTTP response, we decided to examine the SSL history. RedGuard often uses a standard certificate that can be instrumental in hunting such threats.

https://app.hunt.io/images/blogs/geacon/figure_17.webp
Figure 17: SSL History showing RedGuard, Geacon_Pro, and various Cobalt Strike certificates

As seen above, this server's administrators frequently rotate Geacon_Pro certificates, with some lasting as little as a day and others around a week. On port 8443, we observed the default certificate for RedGuard and certificate fields associated with the leaked Cobalt Strike 4.9 version just above.

Conclusion

While tools like Cobalt Strike can aid red and blue teams in assessing weak points within their networks, projects such as Geacon, Geacon_Plus, and Geacon_Pro are exploited to gain initial access. The examples discussed in this post highlight the need for security teams to pay attention not only to Windows systems but also to *nix servers and user workstations.

We hope this post has equipped readers with the knowledge to start tracking Geacon_Pro servers on their own and with us at Hunt.

TABLE OF CONTENTS

Introduction

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows platforms. However, its reach has expanded with Golang implementations known as Geacon and Geacon_Pro. Our research team identified several servers using the default certificate for the latter tool, which was removed from GitHub by the original author but only after being forked many times.

While some team servers may serve benign purposes, many exhibit malicious intent. In this post, we will explore the infrastructure linked to Geacon_Pro and provide insights from a few open directories, shedding light on their operations and the threat they pose to Linux and Windows users.

A Match Made in Go?

GitHub user darkr4y uploaded Geacon to the platform four years ago as a learning project. Since then, the repo has gained over 1k stars and more than 200 forks.

https://app.hunt.io/images/blogs/geacon/figure_1.webp
Figure 1: Screenshot of Geacon README

Geacon_Pro debuted on the code-sharing platform in 2022, uploaded by a user named H4de5-7. This tool version was described as a co-developed project with Z3ratu1, who is also credited with developing Geacon_Plus. According to the developers, Geacon_Pro was transitioned into a private project—potentially for commercial sale—due to concerns over its potential for misuse.

https://app.hunt.io/images/blogs/geacon/figure_2.webp
Figure 2: Geacon_Plus README

Figure 2 displays a screenshot of the Geacon_Plus GitHub page, while Figure 3 shows the default certificate used by Geacon_Pro, which we will use to track the team servers.

https://app.hunt.io/images/blogs/geacon/figure_3.webp
Figure 3: Screenshot of the default certificate of Geacon_Pro

Tracking Geacon_Pro’s Default Certificate

The default certificate for Geacon_Pro is straightforward, making identification relatively easy. The common name "foren.zik" is likely a play on the word forensics or a reference to the antagonist Frederick Gorgote from the show "Happy Appy."

The certificate fields are below:

Country: KZ
Common Name: foren.zik
Organization: NN Fern Sub
Organizational Unit: NN Fern
State: KZ
Validity: 365 days

Our scans across the internet identified a small number of servers using this certificate, which we’ll discuss next.

To illustrate our findings, we’ll use Hunt’s Advanced Search feature and a simple query to look for suspected Geacon_Pro infrastructure. By focusing on the certificate's common name and organization, Hunt finds 12 matching IPs.

The complete query is:

subject.common_name:”foren.zik” AND subject.organization:”NN Fern Sub”

https://app.hunt.io/images/blogs/geacon/figure_4.webp
Figure 4: Snippet of Hunt Advanced Search results for the Geacon_Pro certificate

While many threat actors and even red teamers may opt to use different certificates to evade detection, some still use the default fields to 'blend in.' Relying on default certificates alone is insufficient in attributing their use to Geacon_Pro or any other malware, as the data is publicly available and could be used to host any malicious (or legitimate) software.

The following section will examine a few servers that caught our attention during our research. As you may have noticed, we here at Hunt have an eye for spotting and analyzing data left exposed in directories.

Notable Findings

The first IP we examined did not host the default Geacon_Pro certificate. However, it did host two standard Cobalt Strike team servers on ports 443 and 30011 and an open directory on port 444, as illustrated in Figure 5.

Don’t worry—once we examine the files contained in the directory, the rationale behind our decision will become clear.

https://app.hunt.io/images/blogs/geacon/figure_5.webp
Figure 5: Screenshot of the initial server in our research. Try it out!

Located in the US on the Host Papa ASN, IP address 172.245.53_132 contained an unusual folder named 'dkxtzLeppoUwg676m9Am5gJ'. This directory included a nohup output file and three ELF files: alis, aservice, and grpc, the latter likely intended to spoof Google's remote procedure call framework.

Additionally, files beginning with an 's' are bash scripts, which we will cover first. Figure 6 shows the entire contents of the directory.

https://app.hunt.io/images/blogs/geacon/figure_6.webp
Figure 6: Screenshot of files in open directory at 172.245.53_132 Try it!

Files s1 and s2 are identical to s11 and s12. The primary function of s1 is to download s2 from the likely actor-controlled domain 'down.chinaunion_info' within the previously mentioned oddly named folder.

This script proceeds to create a service that masquerades as the Zabbix Agent, a legitimate network monitoring tool. It then re-initializes the systemctl service, starts the newly created service, and finally removes the script from the system.

https://app.hunt.io/images/blogs/geacon/figure_7.webp
Figure 7: Screenshot of s1 Script

s2 also contacts the same domain and downloads the alis file to the system. The Chinese language comment, '# 清理掉S1名字的服务痕迹,' translates to 'Clean up traces of the service named S1.' The script defines service name variables and saves the download file to /tmp as 'zabbix_agent,' making it executable with the chmod +x command.

The script specifies that the service should start after the network is available, run zabbix_agent, and always restart if it stops. The config ensures the file is run with root privileges and is enabled to start automatically in multi-user mode. Similar to s1, this script also cleans up any remnants created by the previous script.

s2’s contents can be seen below in Figure 8.

https://app.hunt.io/images/blogs/geacon/figure_8.webp
Figure 8: Contents of s2 Script

To recap, we’ve covered two bash scripts that download another script and an ELF file, masquerading as a legitimate network monitoring tool. These files are retrieved from a suspicious domain, likely imitating China Union Pay, the country's largest card payment organization. Next, let's examine the alis file.

https://app.hunt.io/images/blogs/geacon/figure_9.webp
Figure 9: File metadata for alis (Source: VirusTotal)

Using VirusTotal for dynamic analysis, 14 out of 67 security vendors identified alis as an ELF Golang variant of Cobalt Strike. The 'Community' tab can provide valuable comments and insights for additional verification. The command-and-control (C2) server is a CloudFlare IP address linked to another suspicious domain, api.chinaunion_info.

Using the strings command, we can uncover multiple references to the geacon_pro project within the source code.

https://app.hunt.io/images/blogs/geacon/figure_10.webp
Figure 10: Geacon_Pro references in alis source code

Further analysis reveals that the grpc file is a renamed fast reverse proxy binary for Linux. The aservice file is a text file that contains the same configuration data found in s2.

With this analysis, we've wrapped up our examination of this IP address. Below is the metadata for the IP address, domains, and file hashes associated with the open directory.


| Open Directory IP | 172.245.53_132:444 |
| Domains | down.chinaunion_info → 172.67.140_188, 104.21.33_29<br>api.chinaunion_info → 172.67.140_188,104.21.33_29<br>pay.chinaunion_info → 3.230.208_121, 52.1.43_64 |
| s1 SHA-1 Hash | fa21b1c5063d296d3402ff94a34b6b3a9285e59b |
| s2 SHA-1 | d2746e2a30719760583c62b034312e16565e652e |
| alis SHA-1 | cab73e5f990143ed8311d760ceca7bb12e33c0d2 |
| grpc SHA-1 | 20ebea093d50351f686fa80e64f9171e80bf50e8 |
| VirusTotal Link (alis) | Link |

Our next IP, 120.55.74_104, is hosted in China on the Aliyun Computing network and also has an exposed directory on port 8000. This server serves as a prime example of why we cannot rely solely on certificates to draw conclusions about infrastructure. While this server previously hosted the Geacon_Pro certificate, we did not find any associated Geacon_Pro samples at the time of our investigation.

However, we did uncover Linux and Windows binaries with indicators similar to standard Geacon payloads and some variants utilizing Go CLR, a package that allows .NET execution from Go.

https://app.hunt.io/images/blogs/geacon/figure_11.webp
Figure 11: Screenshot of the open directory at 120.55.74_104

To keep this post concise, we'll quickly highlight some of the more interesting files from the directory and share the analysis results from VirusTotal.

https://app.hunt.io/images/blogs/geacon/figure_12.webp

ha.exe, a 64-bit portable executable for Windows compiled in Golang, as shown in Figure 12, presents an intriguing case. It was flagged as malicious by only five security vendors on VirusTotal, with no clear classification into a specific malware family.

Interestingly, the 'Details' tab reveals another submission of the same file, uploaded under the name '2024-06-23_00a1bb75c98662f59f08b3023398d29b_poet-rat_snatch.' Without more context behind this filename, we won’t jump to conclusions and move on.

SHA1: ffc4f2996cca934185bf36355fc4c09aef871435

https://app.hunt.io/images/blogs/geacon/figure_13.webp
Figure 13: Screenshot of analysis results for m_arm64

The file m_arm64 is an ELF 64 executable targeting the ARM architecture. Detection for this sample is more robust, with 20 security vendors identifying it as a variant of Cobalt Strike. The C2 IP address is the same server as above, communicating over port 10443. This file contains references to Go CLR, as mentioned earlier, and "firstblood," seen in the original Geacon repository.

SHA-1: 7fbfb47aee77fd965a5b703c12f5da7505af6fc6

gslll.jsp employs a form of Unicode escape encoding, specifically using the ‘\u’ notation followed by hexadecimal codes to represent characters. This technique is often used to obscure content, making it less immediately readable by the naked eye but still interpreted by systems that understand such sequences.

Figure 14 shows a snippet of the file and encoding.

https://app.hunt.io/images/blogs/geacon/figure_14.webp
Figure 14: Snippet of obfuscated .jsp file

Using a few lines of Python, we can reveal that the file is actually a webshell designed to be uploaded to remote servers. Once deployed, the access can be used to execute commands and upload files. The deobfuscated text is shown below in Figure 15, formatted for readability.

https://app.hunt.io/images/blogs/geacon/figure_15.webp
Figure 15: Deobfuscated file contents of gslll.jsp

Deobfuscating the text reveals an odd comment in the try block, *‘/Z#¥hu@!h83K85eBpZ/’**. The purpose of this text is currently unclear. It could serve as a marker to help the author quickly locate specific sections of the shell, a tactic to bypass simple detection mechanisms, or a method to confuse and mislead defenders and researchers.

SHA-1: 0e6c770f37ce2aa7942dce5350ca1fe781e5f479

Honorable Mention

During our research, we observed IP address 43.136.38_59 hosted in China and part of the Tencent Cloud Computing network. This server hosted a redirect to the domain 360.net, an antivirus company, on port 8443 (as shown below).

https://app.hunt.io/images/blogs/geacon/figure_16.webp
Figure 16: Redirect on port 8443 to 360.net. Check it out

In April, we published a blog post on detecting the RedGuard C2 redirector, which is commonly used with Cobalt Strike to conceal malicious infrastructure. Noticing a familiar pattern in the HTTP response, we decided to examine the SSL history. RedGuard often uses a standard certificate that can be instrumental in hunting such threats.

https://app.hunt.io/images/blogs/geacon/figure_17.webp
Figure 17: SSL History showing RedGuard, Geacon_Pro, and various Cobalt Strike certificates

As seen above, this server's administrators frequently rotate Geacon_Pro certificates, with some lasting as little as a day and others around a week. On port 8443, we observed the default certificate for RedGuard and certificate fields associated with the leaked Cobalt Strike 4.9 version just above.

Conclusion

While tools like Cobalt Strike can aid red and blue teams in assessing weak points within their networks, projects such as Geacon, Geacon_Plus, and Geacon_Pro are exploited to gain initial access. The examples discussed in this post highlight the need for security teams to pay attention not only to Windows systems but also to *nix servers and user workstations.

We hope this post has equipped readers with the knowledge to start tracking Geacon_Pro servers on their own and with us at Hunt.

Related Posts:

Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Jun 27, 2024

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Jun 27, 2024

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Jun 25, 2024

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Jun 25, 2024

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt