Cybersecurity researchers from Volexity have discovered a new version of malware for macOS called GIMMICK, which is allegedly used by the Chinese cybercrime group Storm Cloud.
Experts have identified malware in the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised during a cyber espionage campaign at the end of 2021.
GIMMICK is a multi-platform malware written in Objective C (for macOS) or .NET and Delphi (for Windows). All variants of the malware use the same command server architecture, file paths, behavior models and Google Drive functions. Therefore, they are tracked as one tool, despite the differences in the code.
GIMMICK is run either directly by the user or as a daemon on the system, and is installed as a binary file called PLIST, usually simulating an actively used application on the target device.
The malware is then initialized by performing several data decoding steps, and eventually establishes a session with Google Drive using the built-in OAuth2 credentials.
After initialization, GIMMICK loads three malicious components: DriveManager, FileManager and GCDTimerManager. The first component is responsible for managing Google Drive sessions, storing a local map of the Google Drive directory hierarchy in memory, managing locks for synchronizing tasks in a Google Drive session, and handling uploading and downloading tasks to a Google Drive session.
The hardware UUID of each infected system is used as the identifier of the corresponding Google Drive directory.
FileManager manages the local directory where the command server information and tasks are stored, and GCDTimerManager takes over the management of various GCD objects.
“Due to the asynchronous nature of malware, executing commands requires a step-by-step approach. Although individual steps are performed asynchronously, all commands are executed the same way,” the experts noted.
Apple has also rolled out new protections for all supported versions of macOS with new signatures for XProtect and MRT, which should block and remove malware from March 17, 2022.