A new macOS variant of a malware implant has been discovered. The so-called Gimmick malware is attributed to a threat group, known as Storm Cloud. The Gimmick malware has been described as feature-rich and multi-platform, using public cloud hosting services, such as Google Drive, for its command-and-control (C2) infrastructure.
Gimmick macOS Malware: What Is Known So Far
According to Volexity researchers, who detailed the malware, the Storm Cloud threat group has been observed targeting Tibetan organizations since at least 2018. The attacks were launched at a very limited subset of visitors to over two dozen different Tibetan websites that the hackers had managed to compromise, their report said. Kaspersky researchers also have observed similar targeted attacks that date back to the same period.
It is also noteworthy that, despite the lack of evidence of a relationship between Storm Cloud and OceanLotus, there are similarities in the way the attacks occur. Volexity’s analysis is based on a sample recovered through memory analysis taken from a compromised MacBook Pro running macOS 11.6 (Big Sur), which was part of a campaign in late 2021.
The next step of the attack requires victims to install the payload by tricking them into installing a fake Adobe Flash Player update. This is what the researchers said in terms of how the message is displayed to victims:
In the earliest versions, the attackers had a fairly basic way of displaying and showing the message. Over time, this code evolved to support multiple browsers, including mobile devices, with customized messages according to the browser used. Despite the support of mobile devices in the code, Volexity has only identified delivery of Windows payloads for this particular aspect of the campaign.
It is noteworthy that the Windows variant of Gimmick is coded in .NET and Depphi, whereas the macOS counterpart is written in Objective C. Even though the two separate variants are programmed in different languages, they both use the same C2 infrastructure and behavioral patterns.
To summarize how Gimmick is deployed on a compromised system, it is either launched as a daemon or as a customized app made to look like a legitimate program. Then, the malware communicated with the C2 server, which is based on Google Drive. This is done only during working days to make it blend in with regular network traffic and remain undetected.
“The nature of this campaign may seem basic, but the resources to continuously update infrastructure, write new malware, and maintain these attacks across more than one platform should not be understated,” the researchers said in conclusion.
In January 2022, researchers detected a previously unknown macOS malware, codenamed DazzleSpy and MACMA. The attack itself is based on a WebKit exploit used to compromise Mac users. The payload appears to be a new malware family, specifically targeting macOS.