If you follow the global threat landscape closely, then you may already be aware of a notorious Chinese hacking collective known as “Storm Cloud.” What few people know is that this group seems to be the driving force behind a new variant of malware that researchers have recently spotted in the wild.
Dubbed “GIMMICK” by the researchers at Volexity who first discovered it, the malicious code seems to be a custom tool designed and built by Storm Cloud specifically to target Mac users.
Once GIMMICK has found its way onto a target system, it quietly installs a trio of malware components called DriveManager, FileManager, and GCDTimerManager.
The DriveManager component gives the malware the following capabilities:
- Manage the Google Drive and proxy sessions.
- Maintain a local map of the Google Drive directory hierarchy in memory.
- Manage locks for synchronizing tasks on the Google Drive session.
- Handle download and upload tasks to and from the Google Drive session.
FileManager as the name indicates, manages the local directory where particulars relating to the command-and-control server are stored, along with the command tasks necessary for file exfiltration.
Finally, the GCDTimerManager handles the management of the various GCD objects.
The researchers at Volexity had this to say about the malware in their recently published report:
“Due to the asynchronous nature of the malware operation, command execution requires a staged approach. Though the individual steps occur asynchronously, every command follows the same.”
The bottom line is that this is a complex, robust malware strain. The good news is that the fine folks at Apple have found ways to guard against this latest threat. The company has rolled out new protections to all supported macOS versions with new signatures for XProtect and MRT.
The new signatures that have been available since March 17, 2022 should protect users against GIMMICK. So if it’s been a while since you updated your OS, now is the time to do so. Kudos to Apple for their rapid response here and to the sharp-eyed researchers at Volexity for spotting the new threat.