More new malware is making the rounds. A hacking group out of China known as Storm Cloud has released new malware software known as GIMMICK. Security firm Volexity discovered the malware after retrieving it from the RAM of a MacBook Pro running macOS Big Sur 11.6. The device became compromised in late 2021 during a cyber espionage campaign.
New Malware Detected
Volexity states that while they have found Windows builds of GIMMICK in the past, the MacOS variant is something new. The company states that Storm Cloud has recently released this malware across Asia. While malware is nothing new, GIMMICK sets itself apart. This particular malware is heavy in features, and can adapt itself across several platforms. GIMMICK uses public cloud services, such as Google Drive, to obtain command and control (c2) channels. Volexity is able to find the virus in thanks to the bug using the same c2 channels across variants, as well as similar file paths and behavioral patterns.
What makes GIMMICK so threatening is its adaptability. Exploring the infected MacBook further found that the malware’s install path and file name were unique to the system. Once GIMMICK installs itself, it blends in by functioning right along with other typical system processes. It also functions at times that the computer is operating, allowing itself to blend in seamlessly with any other running program.
Protecting Yourself
Apple is aware of the situation, and has been working closely with Volexity in developing a solution. On March 17, Apple pushed new signatures to XProtect and MRT to combat GIMMICK.
While these updates run automatically, there are ways to ensure defenses are operating. For those that are unsure, check your MacOS settings. Go to System Preferences > Software Update > Advanced, and verify that Install system data files and security updates is enabled. More detailed instructions can be found here.
Complete details on how the malware functions can be found on Volexity’s blog. To protect yourself, other than making sure your Mac is installing security updates, Volexity also suggests taking the following measures:
- Ensure that you regularly monitor and audit persistent locations, such as LaunchDaemons and LaunchAgents on endpoint MacOS devices. Essentially, make sure you only run software you trust. Volexity recommends using either BlockBlock or KnockKnock.
- Monitor your network activity for anomalous proxy activity and internal scanning.
- Ensure your Mac is running Apple’s XProtect and MRT software, and the software is up-to-date.
Nice
Nick:
A very important and well-written PSA.
This is perhaps the most detailed article I’ve seen on this exploit, and better still, you’ve provided specific guidance on how Mac users specifically can protect themselves.
Great piece of work!
“GIMMICK uses public cloud services, such as Google Drive”
It doesn’t appear that the security researchers have nailed down exactly how it transmits itself. However, the most common ways for this type of threat to become real are through phishing emails, social media spam, open RDP ports, and drive-by downloads from compromised websites. Years ago, I remember Handbrake, a popular video transcoder, got compromised. Right on Handbrake’s own servers.