Chinese cyber spies seen using macOS variant of ‘Gimmick’ malware

In late 2021, incident response and threat intelligence firm Volexity observed a Chinese threat actor using a macOS variant of the malware known as Gimmick.

Tracked as Storm Cloud, the Chinese APT is known for its targeted cyber espionage activities against organizations in Asia. In its attacks, the group relies on built-in utilities, custom malware, and open-source tools.

Gimmick is a cross-platform malware family that relies on public cloud services for command and control (C&C) and offers attackers a wide range of functionality.

The macOS variant – identified on a MacBook Pro running macOS 11.6 (Big Sur) – is primarily written in Objective C, while previously observed Windows versions were built in .NET and Delphi. However, all variants share the same C&C architecture, behavior and file paths.

According to the researchers, Gimmick was configured to communicate only with its Google Drive-based C&C server, and only during working days, to blend in with the target organization’s network traffic.

[ READ: New Cross-Platform Backdoor ‘SysJoker’ Used in Targeted Attacks ]

Analysis of the malware shows that its operation is highly asynchronous and that the attackers maintain a Google Drive directory for each of the infected hosts.

Volexity has identified the directories used to store credentials, errors, proxy definitions, batch files, and temporary files, among other things, but says that not all Gimmick variants use all of these directories.

The malware can receive C&C commands to collect system information, upload or download files, and execute shell commands, as well as perform additional C&C operations.

Gimmick, the researchers note, is a complex malware family, primarily due to its asynchronous design, and its port to macOS suggests that Storm Cloud – which is the only threat actor observed using it – is a versatile and powerful adversary. sufficient resources.

Last week, Apple released new signatures for XProtect and MRT to protect Macs from gimmicks, Volexity said.

Related: Chinese hackers target financial institutions in Taiwan with a custom backdoor

Related: Symantec: Super Stealth ‘Daxin’ Backdoor Linked To Chinese Threat Actor

Related: Stealth ‘SockDetour’ Backdoor Used in Attacks on US Defense Contractors

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:

Comments are closed.