This new custom macOS malware seizes control of your Google Drive account

GIMMICK malware is a rare find, experts say

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Volexity have discovered a previously unknown, custommalwaredesigned for macOS that they say is capable of taking control of the target’sGoogleDrive account.

The malware is most likely developed by Storm Cloud, a Chinese cyber-espionage threat actor that, judging by its complexity, has formidable skills and resources.

After retrieving it from a compromised MacBook Pro running macOS 11.6 (Big Sur), the researchers named the malware GIMMICK. It’s described as a multi-platform malware, written in Objective C, or .NET and Delphi, depending on theoperating systemit targets.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Apple’s fix

Once GIMMICK infects an endpoint, it establishes a session to the Google Drivecloud storage, using hard-coded OAuth2 credentials. Then, it loads three separate malware elements - DriveManager, FileManager, and GCDTimerManager.

These give the attackers the ability to manage Google Drive and proxy sessions, maintain a local map of the Google Drive directory hierarchy in memory, manage locks for syncing tasks on the Drive session, and manage upload and download tasks.

The commands GIMMICK supports, the publication further details, includes transmitting base system information, uploading files to the command and control server (C2), downloading files to the client endpoint, executing a shell command, writing output to C2, and overwriting client work period information.

This creepy macOS malware secretly takes screenshots of your device>How to clean up your MacBook and iMac with an anti-malware tool>More Mac malware was detected last year than ever before

“Due to the asynchronous nature of the malware operation, command execution requires a staged approach. Though the individual steps occur asynchronously, every command follows the same.” Volexity explained.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To tackle the malware,Applepushed out new protections to all supported macOS versions, in the form of new signatures for XProtect and MRTantivirus solutions. All users are advised to head over toApple’s support page, and follow the instructions found there.

The malware is quite the find, the publication claims. Usually, in cyber-espionage campaigns such as this one, threat actors make sure they leave no traces of their presence, and usually delete any code used.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set