A new custom macOS malware has been discovered by researchers. The malware, which has been dubbed “Gimmick,” is believed to have been created by a Chinese espionage group to carry out attacks in Asia.
The macOS malware variant was discovered by incident responders at security firm Volexity in the memory of a MacBook Pro running a version of macOS Big Sur 11.6. The machine had been compromised in a 2021 cyber-espionage attack.
Gimmick is said to be a multi-platform malware that’s written in Objective C on macOS and heavily abuses Google Drive services. The malware embeds itself as a binary file that mimics a heavily used app on a Mac.
The malware then loads additional components that can remotely manage a Google Drive session. Since the malware uses Google Drive as a command-and-control platform, it can go undetected by network monitoring solutions.
Attackers can carry out a variety of nefarious tasks via the malware, such as uploading files from the Mac to command-and-control infrastructure, downloading additional malicious files to the machine, and gaining a shell that allows it to execute commands.
Volexity worked closely with Apple to add protections for the GIMMICK malware across their userbase. On March 17, 2022, Apple pushed new signatures to XProtect and MRT to block and remove GIMMICK.
While on by default, users can confirm they are automatically protected by verifying the “Install system data files and security updates” box is checked in their Settings (instructions can be found here).