GIMMICK Malware Goes After macOS Computers

macOS users need to worry about a new piece of malware called GIMMICK. The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign:

GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels. The newly identified macOS variant is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite core differences in programming languages used and operating systems targeted, Volexity tracks the malware under the same name due to shared C2 architecture, file paths, and behavioral patterns used by all variants.

The post from Volexity goes into detail about how this malware works. But here’s the high level explanation. After initializing the malware loads additional components that can remotely manage a Google Drive session. By using Google Drive as a command-and-control platform, the malware can go undetected by network monitoring solutions. Once on a machine, attackers can carry out a variety of other tasks using the malware, including uploading files from the machine to command-and-control infrastructure, downloading additional malicious files to the machine, and gaining a shell that allows it to execute commands.

Here’s the good news. If you’re on macOS Monterey, you’re protected from this malware. So your best defence is to get macOS Monterey onto your computer. Also, the usual advice of not clicking on attachments that you don’t recognize applies, along look considering the use a security product to protect yourself. Because as this illustrates, Macs are not immune to malware.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: