Originally published at: Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass

Category: Malware Intelligence	Threat Type: Malware	Motivation: Financial	Region: Global	Source*: F6

Summary – Gimmick MacOS Malware

THREAT	IMPACT	MITIGATION
A new malware dubbed Gimmick, discovered in May 2022, is actively targeting MacOS devices. The malware is intended to spread incessantly using file names that are unique to the target device.	Gimmick gains persistence and communicates through the target system’s Google Drive C2 server. The file sample used by the malware is also capable of MacOS CodeSign bypass.	Use Apple’s XProtect built-in anti-malware protection security feature for signature based detection of malware. Audit and monitor malware persistence locations as well as network traffic to detect anomalous activities.

CloudSEK’s contextual AI digital risk platform XVigil identified a malware called Gimmick and its chances of further exploitation by cyber criminals. The malware was discovered in the first week of May and it has been actively targeting MacOS devices. Based on underground discussions, CloudSEK researchers expect this malicious software to ramp up infection attempts.

Analysis and Attribution

Information from OSINT

• Gimmick malware is being heavily attributed to a Chinese cyber espionage group named Storm Cloud that has a history of targeting Asian regions.
• Based on various resources, CloudSEK researchers discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The first sample submission of this malware was reported to be around March.
• This malware is distributed as a CorelDraw file that weighs 713.77 KB: ‘2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f.mlwr’
• This CorelDraw file sample is a Mach-O type file. Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps.
• Based on this observation, CloudSEK researchers identified various techniques used by threat actors to bypass the Mach-O restrictions.
• Threat actors can also amplify the spread of this malware using these techniques.

Cybercrime Forum Analysis

• Along with the Gimmick MacOS malware, CloudSEK threat intelligence researchers also discovered a threat actor selling a method that can execute a Mach-O file on any machine across all versions of MacOS, without the need of CodeSigning the binary.
• The actor claims that this method effectively removes the “com.apple.quarantine” attribute from the binary, enabling the execution of the code on any machine outside their own.
• The threat actor mentions that this method only applies to MacOS devices, and not IOS.
• The actor has also advertised their loader malware on the cybercrime forum and is actively searching for a partner to spread it.

Threat actor’s post on the cybercrime forum

 

Indicators of Compromise (IOCs)

Based on VirusTotal and Triage scan results, given below is a list of IOCs for Gimmick MacOS malware:

MD5
23699799f496b8e872d05f19d2b397f8
SHA-1
fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA-256
2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f

Impact & Mitigation

Impact

Mitigation

Gimmick MacOS malware gains persistence and communicates through the target system’s Google Drive C2 server. The file sample used by Gimmickis also capable of MacOS CodeSign bypass. Malicious software is capable of infecting other devices present in the network, to maintain persistence and steal credentials. If the attack exposes Personally Identifiable Information (PII), it could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft. Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.

Use Apple’s XProtect built-in anti-malware protection security feature for signature-based detection and removal of malware. Audit and monitor anomalies in malware persistence locations as well as system networks that are indicators of possible malware infection. Check for possible workarounds and patches while keeping the ports open. Use MFA (multi-factor authentication) across logins.

References

• *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol