New variant of Chinese Gimmick Malware targeting macOS users

Researchers have now published the details of newly discovered macOS malware implants. According to a cybersecurity firm called Volexity, the malware was developed by a Chinese espionage threat actor dubbed Storm Cloud. Storm Cloud is mostly known for targeting organizations across the Asian continent.
Apple MacBook Air
The Chinese-developed malware called the Gimmick is a feature-rich malware family that uses “public cloud hosting services (like Google Drive) for command-and-control (C2) channels”. According to Volexity, this is multi-platform malware, a rare form of malware that threatens internet users across the world.

What makes this malware unique?

Velocity has said that the firm learned about the malware through a recovered sample from a compromised MacBook Pro running macOS 11.6, also known as Big Sur. The company ran a memory analysis on the MacBook Pro targeted through Storm Cloud at the end of 2021.

Although Mac users often believe that their devices are safe from all cyber threats, the Gimmick is a clear example that should encourage all Apple users to be more cautious. Indeed, some malware won’t be able to penetrate the MacOS system, but others will. The malware sent out by Storm Cloud is a prime example of that. It is more advanced than your average malware and seems to be much more versatile. The Chinese threat actor has done a great job adapting its toolset to infiltrate different operating systems better and widen its reach.

According to the researchers at Volexity – Damien Cash, Thomas Lancaster, and Steven Adair, the Gimmick uses built-in operating system utilities, open-source tools, and custom malware implants to infiltrate the system successfully.  As we mentioned above, the malware uses public cloud platforms, including Google Drive. This makes it more likely that the malware will go undetected by the network monitoring solutions.

This malware is different from its Windows counterpart, which is coded in both .NET  and Delphi, in that the macOS version is written in Objective C, but the differences end there. These two types of malware share the same C2 infrastructure, and they also behave in the same pattern when interacting with the host.

What’s different about Gimmick?

Veloxity researchers have published a report detailing the malware behavior. The report says that the Gimmick is launched as a daemon or as a pretend app – the malware is engineered to impersonate the program frequently launched by the user and does so pretty much seamlessly.

What’s even scarier is that the malware only communicates with its Google Drive-based C2 server on working days  – this is the clever trick added by its engineers to further blend in the malware within the heavy work-day network traffic in its target environment.

The malware also has a way to uninstall itself from the device once it reaches its objective – retrieving files and executing commands from the C2 server, making it harder for researchers to trace it.

Apple has released an official statement regarding the spread of the malware and issued new signatures for its built-in malware protection suite – XProtect. The updated protection suite removes the infection using the Malware Removal Tool.

The researchers have stressed that the malware is unlike the typical malware we’re seeing. They suggest that the threat actor behind the malware has access to great resources and can create versatile, complicated malware.

How to protect your device from Gimmick

While Mac users can ride this one out using the XProtect, the general trend is extremely alarming. Groups like Storm Cloud are becoming more common and targeting Apple users more frequently and easily. It is evidence that users need to up their security services and should take their online safety into their own hands.

One way to avoid catching malware is by using a VPN to protect your internet connection from snoopers. A VPN disguises your real IP address, and whenever someone tries to see what you are doing online, they will only find the IP address of the server you are connected to, no personal details.

It is also good to practice general caution when interacting with suspicious links, people or accounts online. To protect yourself from different malware and viruses, stay away from all unfamiliar websites, don’t click on any link that looks odd, and always make sure that you are not interacting with dubious individuals online. You never know what their seemingly harmless links could be hiding.