macOS users need to worry about a new piece of malware called GIMMICK. The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign:
GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels. The newly identified macOS variant is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite core differences in programming languages used and operating systems targeted, Volexity tracks the malware under the same name due to shared C2 architecture, file paths, and behavioral patterns used by all variants.
The post from Volexity goes into detail about how this malware works. But here’s the high level explanation. After initializing the malware loads additional components that can remotely manage a Google Drive session. By using Google Drive as a command-and-control platform, the malware can go undetected by network monitoring solutions. Once on a machine, attackers can carry out a variety of other tasks using the malware, including uploading files from the machine to command-and-control infrastructure, downloading additional malicious files to the machine, and gaining a shell that allows it to execute commands.
Here’s the good news. If you’re on macOS Monterey, you’re protected from this malware. So your best defence is to get macOS Monterey onto your computer. Also, the usual advice of not clicking on attachments that you don’t recognize applies, along look considering the use a security product to protect yourself. Because as this illustrates, Macs are not immune to malware.
Like this:
Like Loading...
Related
This entry was posted on March 28, 2022 at 8:40 am and is filed under Commentary with tags Mac, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
GIMMICK Malware Goes After macOS Computers
macOS users need to worry about a new piece of malware called GIMMICK. The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign:
GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels. The newly identified macOS variant is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite core differences in programming languages used and operating systems targeted, Volexity tracks the malware under the same name due to shared C2 architecture, file paths, and behavioral patterns used by all variants.
The post from Volexity goes into detail about how this malware works. But here’s the high level explanation. After initializing the malware loads additional components that can remotely manage a Google Drive session. By using Google Drive as a command-and-control platform, the malware can go undetected by network monitoring solutions. Once on a machine, attackers can carry out a variety of other tasks using the malware, including uploading files from the machine to command-and-control infrastructure, downloading additional malicious files to the machine, and gaining a shell that allows it to execute commands.
Here’s the good news. If you’re on macOS Monterey, you’re protected from this malware. So your best defence is to get macOS Monterey onto your computer. Also, the usual advice of not clicking on attachments that you don’t recognize applies, along look considering the use a security product to protect yourself. Because as this illustrates, Macs are not immune to malware.
Share this:
Like this:
Related
This entry was posted on March 28, 2022 at 8:40 am and is filed under Commentary with tags Mac, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.