New Variant of Chinese Gimmick Malware Targeting macOS Users

Gimmick Malware Targeting macOS Users News

Researchers revealed details about a new macOS version of malware that was developed by an actor in Chinese intelligence known for attacking organizations throughout Asia.

Attributing the attacks to a group tracked as Storm Cloud, cybersecurity firm Volexity characterized the new malware, dubbed Gimmick, a “feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels. “

The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11. 6 (Big Sur) as part of an intrusion campaign that took place in late 2021.

“Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets,” Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster said in a report.

” They use built-in tools and open-source software to accomplish their goals. Leveraging cloud platforms for C2, such as using Google Drive, increases the likelihood of operating undetected by network monitoring solutions. “

Unlike its Windows counterpart, which is coded in both .NET and Delphi, the macOS version is written in Objective C. The choice of the programming languages aside, the two versions of the malware are known to share the same C2 infrastructure and behavioral patterns.

Once installed, Gimmick can be launched as either a daemon (or in the form a custom application) that is designed to appear like a targeted program. The malware is configured to communicate with its Google Drive-based C2 server only on working days in order to further blend in with the network traffic in the target environment.

What’s more, the backdoor, besides retrieving arbitrary files and executing commands from the C2 server, comes with its own uninstall functionality that allows it to erase itself from the compromised machine.

To protect users against malware, Apple has issued new signatures to its built-in anti-malware protection suite known as XProtect as of March 17, 2022 to block and remove the infections via its Malware Removal Tool (MRT).

“The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile,” the researchers said.

Rate author