Summary - Gimmick MacOS Malware
This report analyses the malware called Gimmick and its chances of further exploitation by cyber criminals.The malware was discovered by the security firm Volexity, in the first week of May and it has been actively targeting MacOS devices. Based on underground discussions, CloudSEK researchers expect this malicious software to ramp up infection attempts.
- A new malware dubbed Gimmick, discovered in May 2022, is actively targeting MacOS devices.
- The malware is intended to spread incessantly using file names that are unique to the target device.
- Gimmick gains persistence and communicates through the target system’s Google Drive C2 server.
- The file sample used by the malware is also capable of MacOS CodeSign bypass.
- Use Apple’s XProtect built-in anti-malware protection security feature for signature based detection of malware.
- Audit and monitor malware persistence locations as well as network traffic to detect anomalous activities.
Analysis and Attribution
Information from OSINT
- Gimmick malware is being heavily attributed to a Chinese cyber espionage group named Storm Cloud that has a history of targeting Asian regions.
- Based on various resources, threat intelligence researchers discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The first sample submission of this malware was reported to be around March.
- This malware is distributed as a CorelDraw file that weighs 713.77 KB: ‘2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr’
- This CorelDraw file sample is a Mach-O type file. Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps.
- Based on this observation, CloudSEK researchers identified various techniques used by threat actors to bypass the Mach-O restrictions.
- Threat actors can also amplify the spread of this malware using these techniques.
Cybercrime Forum Analysis
- CloudSEK threat intelligence researchers also discovered a threat actor selling a method that can execute a Mach-O file on any machine across all versions of MacOS, without the need of CodeSigning the binary.
- The actor claims that this method effectively removes the "com.apple.quarantine" attribute from the binary, enabling the execution of the code on any machine outside their own.
- The threat actor mentions that this method only applies to MacOS devices, and not IOS.
- The actor has also advertised their loader malware on the cybercrime forum and is actively searching for a partner to spread it.
[caption id="attachment_19432" align="alignnone" width="1299"]
Threat actor’s post on the cybercrime forum[/caption]
Indicators of Compromise (IOCs)
Based on VirusTotal and Triage scan results, given below is a list of IOCs for Gimmick MacOS malware:
Impact & Mitigation
- Gimmick MacOS malware gains persistence and communicates through the target system’s Google Drive C2 server.
- The file sample used by Gimmickis also capable of MacOS CodeSign bypass.
- Malicious software is capable of infecting other devices present in the network, to maintain persistence and steal credentials.
- If the attack exposes Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.
- Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.
- Use Apple’s XProtect built-in anti-malware protection security feature for signature-based detection and removal of malware.
- Audit and monitor anomalies in malware persistence locations as well as system networks that are indicators of possible malware infection.
- Check for possible workarounds and patches while keeping the ports open.
- Use MFA (multi-factor authentication) across logins.