GIMMICK is used in attacks by Storm Cloud threat actors of Chinese origin known to target organizations in Asia. GIMMICK is a multi-platform malware family with advanced features that uses cloud hosting services such as Google Drive to communicate with command and control (C2) servers. The newly detected macOS variant is written in Objective C, but other variants which target Windows systems are known to be developed with .NET and Delphi. Despite fundamental differences in the programming languages used and targeted operating systems, variants are followed under the same name due to shared C2 architecture, file paths, and behavior patterns.
GIMMICK can be launched as a daemon or directly by the user on macOS systems. In a scenario where GIMMICK is run by a user, the malware first leaves the PLIST file it contains in the /Users/<username>/Library/LaunchAgents directory, so it installs itself as a “Launch Agent” created for a specific logged-in user. Consequently, when that user logs on to the vulnerable system every time, GIMMICK malware is executed. In addition, the technical analysis revealed that customized the malware to imitate an application commonly launched by the targeted user.
It has been observed that the malware samples examined regarding the GIMMICK malware family have a highly developed and complex structure, and it is expected different operating systems will also be targeted through this malware. To not be the target of similar attacks that may be carried out, it is especially recommended that MacOS users regularly check persistence locations such as LaunchAgents and LaunchDaemons or benefit from security solutions developed for this purpose, monitor network traffic and Proxy activity. In addition, it is important to enable Apple XProtect, MRT services, and prevent the detected IoC findings related to malware from the security solutions used.
