A new strain of malware for the Mac has been noted as a hacking group out of China that identifies itself as “Storm Cloud” has released new malware known as GIMMICK.
Security firm Volexity discovered the malware after retrieving it from the RAM of a MacBook Pro running macOS Big Sur 11.6. The device became compromised in late 2021 during a cyber espionage campaign.
The firm stated that it had located Windows builds of GIMMICK in the past, and that the macOS variant is something new. The software has reportedly been released across Asia, and includes a hefty set of features that can adapt itself across multiple platforms. GIMMICK uses public cloud services, such as Google Drive, to obtain command and control (c2) channels. Volexity is able to find the virus in thanks to the bug using the same c2 channels across variants, as well as similar file paths and behavioral patterns.
The malware also seems to be able to install itself deeply within both the operating system and macOS file structure, and can blend in by mimicking other typical system processes. GIMMICK also functions whenever the computer is running, and can use this run time to blend in with routine functions.
Apple is aware of the situation, and has been working closely with Volexity in developing a solution. On March 17, Apple pushed new signatures to XProtect and MRT to combat GIMMICK.
If you’re curious as to how to protect against GIMMICK, use the following steps:
Go to System Preferences > Software Update > Advanced, and verify that Install system data files and security updates is enabled.
Volexity has suggested taking the following additional steps:
– Ensure that you regularly monitor and audit persistent locations, such as LaunchDaemons and LaunchAgents on endpoint MacOS devices. Essentially, make sure you only run software you trust. Volexity recommends using either BlockBlock or KnockKnock.
– Monitor your network activity for anomalous proxy activity and internal scanning.
– Ensure your Mac is running Apple’s XProtect and MRT software, and the software is up-to-date.
Stay tuned for additional details as they become available.
Via The Mac Observer and Volexity blog