Recently, the incident response and threat intelligence firm Volexity discovered a Chinese threat actor employing a macOS variant of the malware known as Gimmick. The Chinese APT known as Storm Cloud is notorious for conducting focused cyber espionage targeting Asian enterprises. The gang uses built-in utilities, bespoke malware, and open-source tools in its attacks.
The Gimmick is a multi-platform malware family that uses public cloud services for command and control (C&C) and gives attackers multiple options. The macOS version, discovered on a MacBook Pro running macOS 11.6 (Big Sur), is primarily written in Objective C, whereas prior Windows versions were written in .NET and Delphi. The C&C architecture, behavior, and file paths are the same across all variants.
According to the researchers, Gimmick was set up to only connect with its Google Drive-based C&C server during workdays in order to blend in with the target organization’s network activity. Analysis shows that the malware’s functioning is highly asynchronous, and the attackers keep a Google Drive directory for each compromised system.
Although Volexity has identified locations for storing credentials, errors, proxy definitions, command files, and temporary files, it claims that not all Gimmick variations use all of them. The malware may accept C&C instructions to gather system information, upload or download files, run shell commands, and do other C&C activities.
According to the researchers, Gimmick is a complicated malware family, owing to its asynchronous nature. Its conversion to macOS indicates that Storm Cloud – the sole threat actor seen deploying it – is a well-resourced and flexible opponent. Volexity said that Apple published updated signatures for XProtect and MRT last week to defend Macs against Gimmick.