کارشناسان بدافزار سفارشی GIMMICK را برای macOS کشف کردند

Volexity cybersecurity researchers have discovered a new variant of macOS malware called GIMMICK that is believed to be used by the Chinese cybercriminal group Storm Cloud.

Experts have identified malware in the RAM of a MacBook Pro running macOS 11.6 (Big Sur) that was compromised during a cyber-espionage campaign in late 2021.

GIMMICK is a multi-platform malware written in Objective C (for macOS) or .NET and Delphi (for Windows). All variants of the malware use the same C&C architecture, file paths, behaviours, و گوگل Drive features. از این رو, they are tracked as one tool, despite the differences in the code.

GIMMICK is run either directly by the user or as a daemon on the system, and is installed as a binary file called PLIST, usually simulating an actively used application on the target device.

The malware then initializes itself by taking several steps to decode the data and eventually establishes a session with Google Drive using the built-in OAuth2 credentials.

Once initialized, GIMMICK loads three malicious components: DriveManager, FileManager, و GCDTimerManager. The first component is responsible for managing Google Drive sessions, keeping the local map of the Google Drive directory hierarchy in memory, managing locks for synchronizing tasks in a Google Drive session, and handling uploading and downloading tasks into a Google Drive session.

The hardware UUID of each infected system is used as the identifier of its corresponding Google Drive directory.

The FileManager manages the local directory that stores C&C information and tasks, while the GCDTimerManager takes care of managing the various GCD objects.

Due to the asynchronous nature of malware, command execution requires a phased approach. Although individual steps are executed asynchronously, all commands are executed in the same way.کارشناسان خاطرنشان کردند.
Apple has also rolled out new protections for all supported versions of macOS with new signatures for XProtect and MRT, which should block and remove malware from March 17, 2022.

بگذارید این را به شما یادآوری کنم Chinese hackers cover their tracks and remove malware a few days before detection, and also that Cynos malware from AppGallery infiltrated at least 9.3 میلیون دستگاه اندروید.

هلگا اسمیت

من همیشه به علوم کامپیوتر علاقه داشتم, به خصوص امنیت داده ها و موضوع, که امروزه نامیده می شود "علم داده", از اوایل نوجوانی من. قبل از ورود به تیم حذف ویروس به عنوان سردبیر, من به عنوان کارشناس امنیت سایبری در چندین شرکت کار کردم, از جمله یکی از پیمانکاران آمازون. یک تجربه دیگر: من در دانشگاه های آردن و ریدینگ تدریس می کنم.

پاسخ دهید

این سایت از Akismet برای کاهش هرزنامه استفاده می کند. با نحوه پردازش داده های نظر خود آشنا شوید.

دکمه بازگشت به بالا