Researchers have discovered a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.’
The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign.
GIMMICK is a multi-platform family that uses public cloud hosting services such as Google Drive for command-and-control (C2) channels. The malware is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite the differences in programming languages used, Volexity has tracked the malware under the same name due to the shared C2 architecture, file paths, and behavioral patterns used by all variants.
GIMMICK is launched either directly by the user or as a daemon on the system and installs itself as a binary file named 'PLIST,' usually mimicking a heavily used application on the target machine. During initialization, the malware will perform several decoding steps and eventually establish a session to Google Drive using hard-coded OAuth2 credentials. After initialization, GIMMICK loads three malware components, namely DriveManager, FileManager, and GCDTimerManager, which are responsible for managing the critical aspects of the C2 protocol. DriveManager, in particular, has several responsibilities which includes, managing the Google Drive and proxy sessions, maintaining a local map of the Google Drive directory hierarchy in memory, managing locks for synchronizing tasks on the Google Drive session, and handling download and upload tasks to and from the Google Drive session.
Upon establishing a session to Google Drive, GIMMICK is capable of executing the following commands, which arrive on the system in AES-encrypted form:
- Transmit base system information
- Upload file to C2
- Download file to client
- Execute a shell command and write output to C2
- Set client Google Drive timer interval
- Set client timer interval for client info heartbeat message
- Overwrite client work period information
- Regularly audit and monitor persistence locations, such as LaunchAgents and LaunchDaemons on endpoint macOS devices. This can be done through an EDR solution and/or with free tools such as BlockBlock and KnockKnock.
- Monitor network traffic for anomalous proxy activity and internal scanning.
- Ensure that XProtect and MRT from Apple are enabled and running on macOS systems.
YARA Rules published by Volexity: