An espionage threat actor from China known for attacking target organizations across Asia has been linked to a new malware implant for macOS devices.
As Volexity’s Network Security Monitoring service monitored an environment late in 2021, it detected an intrusion. Cybersecurity firm Volexity believes the group responsible for the attacks is called Storm Cloud while describing the malware as “GIMMICK.”
In an intrusion campaign, the data was recovered from a compromised MacBook Pro running macOS 11.6 (Big Sur) through memory analysis. Apart from this, several instances of the malware family have been encountered by Volexity.
For commands and controls (C2) GIMMICK uses Google Drive, a public cloud hosting service since GIMMICK is a multi-platform malware.
GIMMICK Malware (macOS Variant)
Windows versions are written in both .NET and Delphi, while the newly identified macOS variant, GIMMICK is written mostly in Objective C.
Volexity tracks the malware under the same name, regardless of the programming languages used and the operating systems targeted. However, this happened due to the following factors:-
- Shared C2 architecture.
- File paths.
- Behavioral patterns used by all variants.
Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster stated:-
“Storm Cloud is an advanced and versatile threat actor, adapting its toolset to match different operating systems used by its targets.”
In order to integrate with Target’s network traffic, GIMMICK communicates with its Google Drive-powered C2 server only during working hours and days. While as part of Volexity’s work with Apple, all users now have protection against GIMMICK malware.
Startup & Initialization
After the implementation of GIMMICK malware on the infected system, GIMMICK can run either as an ‘application’ or as a ‘daemon’ and is designed to mimic the behavior of a program commonly used by the user-targeted.
The cybersecurity firm, Volexity has observed that in the Windows variant of GIMMICK malware there is no concept of setting its own persistence.
In order to blend in with the network traffic in the target environment, GIMMICK only communicates with its Google Drive C2 server on working days. A JSON object with OAuth2 credentials for accessing Google Drive is retrieved from the first decoding loop.
Second, the 32-byte string is decoded, which is then run through a third-party conversion stage. After decoding the 32-byte string, two characters are converted to numeric representations at a time, and the resulting byte is written to a buffer.
As a result of the final decoding, the configuration data is a 200byte binary blob that only shows a few overlapping data boundaries.
In addition, the backdoor has its own uninstall feature that allows it to remove itself from the compromised machine, in addition to retrieving arbitrary files and executing commands from the C2 server.
Custom ObjectiveC classes of GIMMICK
There are three custom Objective-C classes of GIMMICK malware, and here below we have mentioned them all:-
To prevent similar attacks Volexity has recommended the following mitigations:-
- Always audit and monitor the persistence locations.
- To keep track of anomalous proxy activity and internal scanning always monitor network traffic.
- On macOS, systems make sure to enable XProtect and MRT from Apple.
- Always use complex passwords.
- Make sure to enable a multi-factor security mechanism.