Experts discovered GIMMICK custom malware for macOS
Volexity cybersecurity researchers have discovered a new variant of macOS malware called GIMMICK that is believed to be used by the Chinese cybercriminal group Storm Cloud.
Experts have identified malware in the RAM of a MacBook Pro running macOS 11.6 (Big Sur) that was compromised during a cyber-espionage campaign in late 2021.
GIMMICK is a multi-platform malware written in Objective C (for macOS) or .NET and Delphi (for Windows). All variants of the malware use the same C&C architecture, file paths, behaviours, and Google Drive features. Therefore, they are tracked as one tool, despite the differences in the code.
GIMMICK is run either directly by the user or as a daemon on the system, and is installed as a binary file called PLIST, usually simulating an actively used application on the target device.
The malware then initializes itself by taking several steps to decode the data and eventually establishes a session with Google Drive using the built-in OAuth2 credentials.
Once initialized, GIMMICK loads three malicious components: DriveManager, FileManager, and GCDTimerManager. The first component is responsible for managing Google Drive sessions, keeping the local map of the Google Drive directory hierarchy in memory, managing locks for synchronizing tasks in a Google Drive session, and handling uploading and downloading tasks into a Google Drive session.
The hardware UUID of each infected system is used as the identifier of its corresponding Google Drive directory.
The FileManager manages the local directory that stores C&C information and tasks, while the GCDTimerManager takes care of managing the various GCD objects.
Let me remind you that Chinese hackers cover their tracks and remove malware a few days before detection, and also that Cynos malware from AppGallery infiltrated at least 9.3 million Android devices.