Detect dangerous macOS virus developed by Chinese hacker group
Security researchers at Veloxity discovered GIMMICK. They obtained it from the RAM of a MacBook Pro running macOS 11.6 that was compromised during a cyber espionage campaign in late 2021.
It is very difficult to have a chance of being exposed to a custom virus used by highly skilled hacker groups. The reason is that they work very carefully, leaving little traces and wiping out malicious code to keep their tools secret and avoid IoC-based detection.
However, sometimes even the most notorious hackers make mistakes and forget about the virus, leaving an opportunity for researchers to conduct analysis. Such is the case of GIMMICK.
Dissecting the GIMMICK virus
GIMMICK is a cross-platform virus written in Objective C (macOS) or .NET and Delphi (Windows).
All variants of GIMMICK use the same C2 architecture, file paths, pattern behavior, and abuse of many Google Drive services. Thus, despite the differences in code, all GIMMICK variants are tracked as a single virus.
On the system, GIMMICK is launched directly by the user or as a daemon. It then installs itself as a binary file called "PLIST", often mimicking a heavily used application on the victim's machine.
Next, the virus launches by performing several steps to decrypt the data and eventually establishes a connection session with Google Drive, using hard-coded OAuth2 credentials.
After initialization, GIMMICK loads three malicious components named DriveManager, FileManager and GCDTimerManager. In it, DriveManager performs the following tasks:
- Manage Google Drive sessions and proxies.
- Maintains a local map of the Google Drive folder hierarchy in memory.
- Key management to sync tasks across Google Drive sessions.
- Handle download and upload tasks to and from a Google Drive session.
Each infected computer's hardware UUID will be used as an identifier for its corresponding Google Drive folder.
Meanwhile, FileManager manages the local directory where C2 information and command tasks are stored, and GCDTimerManager takes care of the management of various GCD objects.
The commands supported by GIMMICK, sent to the system as AES encryption, are listed below:
- Base system information transmission.
- Upload files to C2.
- Download the file to the client.
- Execute a shell command and write the output to C2.
- Set the Google Drive timer interval on the client.
- Override the uptime information on the client.
The asynchronous design makes GIMMICK powerful and complex. Bringing this virus to macOS is also a feat that shows the power of Storm Cloud's skills and resources.
Volexity does not rule out the possibility that Storm Cloud buys malicious code from another developer and uses it exclusively.
To combat GIMMICK, Apple recommends that users update macOS regularly. This will give you access to the latest patches and the latest digital signatures. Furthermore, please make sure that XProtect and MRT are enabled and working properly on the system.
You should read it
- Everything we need to know about macOS 12
- Some useful file manipulation tips on macOS
- How to fix corrupted macOS installer errors
- macOS 13 Ventura: New Features, Supported Devices, and Release Date
- How to fix signature errors when upgrading macOS
- Watch out for the risk of spreading the virus from Facebook Messenger on Windows, MacOS and Linux
- 3 ways to downgrade to the old macOS version
- What is the RSV virus?
May be interested
- No anti-virus software can detect this extremely dangerous new Ransomware on Androida new type of ransomware on android has just been discovered by a researcher on a blog called zscaler. the point that makes this type of ransomware so frightening is that no anti-virus software can detect it.
- Detect changes in clinical symptoms of new corona viruschinese scientists have discovered changes in clinical symptoms of patients infected with new coronavirus at different stages.
- What is the RSV virus?the rsv virus is one of the dangerous diseases for young children and infants, spread easily. so, what is rsv virus?
- New research: SARS-CoV-2 virus from nature, not from laboratorya group of chinese scientists points out that the new strain of corona virus is born from recombinant events in nature, not from the laboratory.
- 3 ways to identify a Mac infected with a virusis your mac working a little strange? whether you are seeing ads that you cannot explain or your system is unusually slow, you may think the problem is due to malware. and you may be right in this case.
- Chinese translation applications on quality phoneschinese translation applications on the phone will make it easier for users to learn chinese when translating words, or phrases from chinese to vietnamese.
- LockBit - The world's most dangerous hacker gang was destroyedlockbit, the world's most dangerous hacker gang, was destroyed, this is a new statement released by the international police union.
- Scan and delete dangerous viruseseveryday, we only hear about a new and dangerous virus spreading on the internet, infecting millions of windows computers ...
- Answer these 5 questions before clicking on any linkurls are used to make 'links' to resources on the internet. the url creates a 'hyperlink' capability for web pages. however, computer crime today, hackers are increasingly 'cunning' and more dangerous. these hackers can change passwords and steal user data, even using drive-by-download malware to attack users.
- Computer virus reached a new recordthe computer world in 2006 began with a sad number when 2,312 computer viruses were discovered in january 2006, announced by sophos network security specialist. according to the white hat hacker group working for sophos, the number of computer virus programs is small