|Category: Malware Intelligence||Threat Type: Malware||Motivation: Financial||Region: Global||Source*: F6|
Summary - Gimmick MacOS Malware
- Gimmick malware is being heavily attributed to a Chinese cyber espionage group named Storm Cloud that has a history of targeting Asian regions.
- Based on various resources, threat intelligence researchers discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The first sample submission of this malware was reported to be around March.
- This malware is distributed as a CorelDraw file that weighs 713.77 KB: ‘2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr’
- This CorelDraw file sample is a Mach-O type file. Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps.
- Based on this observation, CloudSEK researchers identified various techniques used by threat actors to bypass the Mach-O restrictions.
- Threat actors can also amplify the spread of this malware using these techniques.
- CloudSEK threat intelligence researchers also discovered a threat actor selling a method that can execute a Mach-O file on any machine across all versions of MacOS, without the need of CodeSigning the binary.
- The actor claims that this method effectively removes the "com.apple.quarantine" attribute from the binary, enabling the execution of the code on any machine outside their own.
- The threat actor mentions that this method only applies to MacOS devices, and not IOS.
- The actor has also advertised their loader malware on the cybercrime forum and is actively searching for a partner to spread it.