GIMMICK Malware

A previously unknown malware targeting macOS devices has been uncovered by infosec researchers. Tracked as GIMMICK malware, the threat has been attributed to being a part of the malicious arsenal of a Chinese cyberespionage group known as Storm Cloud. Details about the threat were published in a report by researchers, who were able to extract the malware from the RAM of a MacBook Pro device. It is estimated that the device was infected as part of an espionage campaign that took place in late 2021.

Technical Details

The GIMMICK malware is a multi-platform threat. Its macOS variants are written using Objective C while the Windows-targeting ones are created using .NET and Delphi. Despite the presence of certain code differences, all variants exhibit the same behavioral patterns, Command-and-Control (C2, C&C) infrastructure and file paths. It should also be noted that the malware abuses heavily the services of Google Drive.

After being deployed on the targeted systems, GIMMICK loads three separate malware components - DriveManager, FileManager and GCDTimerManager. The names of the components reflect their tasks and functionalities. FileManager governs the local directory containing the C2 information and the data related to the command tasks. GCDTimerManger oversees the management of the needed GCD objects. DriveManager, on the other hand, is responsible for the various Google Drive-related actions. More specifically, it manages the Google Drive and prox sessions, maintains a local map of the specific Google Drive directory's hierarchy, handles any download and upload tasks via the Google Drive session, and more.

Threatening Commands

According to the researchers, the asynchronous nature of the whole GIMMICK malware operation necessities a staged approach for command execution. These commands are transmitted to the system in AES-encrypted form and are seven in total. The threat actor can instruct the malware to transmit base system information about the breached device, upload files to the C2 servers or download chosen files to the infected system, execute shell commands and more.