Detect dangerous macOS virus developed by Chinese hacker group

Security researchers at Veloxity discovered GIMMICK. They obtained it from the RAM of a MacBook Pro running macOS 11.6 that was compromised during a cyber espionage campaign in late 2021.

It is very difficult to have a chance of being exposed to a custom virus used by highly skilled hacker groups. The reason is that they work very carefully, leaving little traces and wiping out malicious code to keep their tools secret and avoid IoC-based detection.

However, sometimes even the most notorious hackers make mistakes and forget about the virus, leaving an opportunity for researchers to conduct analysis. Such is the case of GIMMICK.

Dissecting the GIMMICK virus

GIMMICK is a cross-platform virus written in Objective C (macOS) or .NET and Delphi (Windows).

All variants of GIMMICK use the same C2 architecture, file paths, pattern behavior, and abuse of many Google Drive services. Thus, despite the differences in code, all GIMMICK variants are tracked as a single virus.

On the system, GIMMICK is launched directly by the user or as a daemon. It then installs itself as a binary file called "PLIST", often mimicking a heavily used application on the victim's machine.

Next, the virus launches by performing several steps to decrypt the data and eventually establishes a connection session with Google Drive, using hard-coded OAuth2 credentials.

After initialization, GIMMICK loads three malicious components named DriveManager, FileManager and GCDTimerManager. In it, DriveManager performs the following tasks:

1. Manage Google Drive sessions and proxies.
2. Maintains a local map of the Google Drive folder hierarchy in memory.
3. Key management to sync tasks across Google Drive sessions.
4. Handle download and upload tasks to and from a Google Drive session.

Each infected computer's hardware UUID will be used as an identifier for its corresponding Google Drive folder.

Meanwhile, FileManager manages the local directory where C2 information and command tasks are stored, and GCDTimerManager takes care of the management of various GCD objects.

The commands supported by GIMMICK, sent to the system as AES encryption, are listed below:

1. Base system information transmission.
2. Upload files to C2.
3. Download the file to the client.
4. Execute a shell command and write the output to C2.
5. Set the Google Drive timer interval on the client.
6. Override the uptime information on the client.

The asynchronous design makes GIMMICK powerful and complex. Bringing this virus to macOS is also a feat that shows the power of Storm Cloud's skills and resources.

Volexity does not rule out the possibility that Storm Cloud buys malicious code from another developer and uses it exclusively.

To combat GIMMICK, Apple recommends that users update macOS regularly. This will give you access to the latest patches and the latest digital signatures. Furthermore, please make sure that XProtect and MRT are enabled and working properly on the system.

Lesley Montoya

Update 23 March 2022