
The incident response and threat intelligence firm Volexity discovered a Chinese threat actor employing a macOS variant of the malware known as Gimmick. The Chinese APT known as Storm Cloud is notorious for conducting focused cyber espionage targeting Asian enterprises. The gang uses built-in utilities, bespoke malware, and open-source tools in its attacks.
The Gimmick is a multi-platform malware family that uses public cloud services for C&C infrastructure and gives attackers multiple options. The macOS version, discovered on a MacBook Pro running macOS 11.6 (Big Sur), is primarily written in Objective C, whereas prior Windows versions were written in .NET and Delphi. The C&C architecture, behavior, and file paths are the same across all variants.
Gimmick was set up to only connect with its Google Drive-based C&C server during workdays to blend in with the target organization’s network activity. Analysis shows that the malware’s functioning is highly asynchronous, and the attackers keep a Google Drive directory for each compromised system.

Although Volexity has identified locations for storing credentials, errors, proxy definitions, command files, and temporary files, it claims that not all Gimmick variations use all of them. The malware may accept C&C instructions to gather system information, upload or download files, run shell commands, and do other C&C activities.
Gimmick is a complicated malware family, owing to its asynchronous nature. Its conversion to macOS indicates that Storm Cloud – the sole threat actor seen deploying it – is a well-resourced and flexible opponent. Volexity said that Apple published updated signatures for XProtect and MRT last week to defend Macs against Gimmick.
Indicators of Compromise
- fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8,23699799f496b8e872d05f19d2b397f8
- 038e6c73d7235d9942ba9f4cc48cf2626c940dc7,66c52c5bc096e15d984ae12fa0589b2f
Yara Rule
rule apt_macOS_gimmick : StormCloud
{
meta:
author = “threatintel@volexity.com”
description = “Detects the macOS port of the GIMMICK malware.”
date = “2021-10-18”
hash1 = “2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f”
license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”
memory_suitable = 1
strings:
// Also seen in DAZZLESPY
$s1 = "http://cgi1.apnic.net/cgi-bin/my-ip.php --connect-timeout 10 -m 20" wide ascii
$json1 = "base_json" ascii wide
$json2 = "down_json" ascii wide
$json3 = "upload_json" ascii wide
$json4 = "termin_json" ascii wide
$json5 = "request_json" ascii wide
$json6 = "online_json" ascii wide
$json7 = "work_json" ascii wide
$msg1 = "bash_pid: %d, FDS_CHILD: %d, FDS_PARENT: %d" ascii wide
$msg2 = "pid %d is dead" ascii wide
$msg3 = "exit with code %d" ascii wide
$msg4 = "recv signal %d" ascii wide
$cmd1 = "ReadCmdQueue" ascii wide
$cmd2 = "read_cmd_server_timer" ascii wide
$cmd3 = "enableProxys" ascii wide
$cmd4 = "result_block" ascii wide
$cmd5 = "createDirLock" ascii wide
$cmd6 = "proxyLock" ascii wide
$cmd7 = "createDirTmpItem" ascii wide
$cmd8 = "dowfileLock" ascii wide
$cmd9 = "downFileTmpItem" ascii wide
$cmd10 = "filePathTmpItem" ascii wide
$cmd11 = "uploadItems" ascii wide
$cmd12 = "downItems" ascii wide
$cmd13 = "failUploadItems" ascii wide
$cmd14 = "failDownItems" ascii wide
$cmd15 = "downloadCmds" ascii wide
$cmd16 = "uploadFiles" ascii wide
condition:
$s1 or
5 of ($json*) or
3 of ($msg*) or
9 of ($cmd*)
}
rule apt_win_gimmick_dotnet_base : StormCloud
{
meta:
author = “threatintel@volexity.com”
description = “Detects the base version of GIMMICK in .NET.”
date = “2020-03-16”
hash1 = “b554bfe4c2da7d0ac42d1b4f28f4aae854331fd6d2b3af22af961f6919740234”
license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”
memory_suitable = 1
strings:
$other1 = "srcStr is null" wide
$other2 = "srcBs is null " wide
$other3 = "Key cannot be null" wide
$other4 = "Faild to get target constructor, targetType=" wide
$other5 = "hexMoudule(public key) cannot be null or empty." wide
$other6 = "https://oauth2.googleapis.com/token" wide
$magic1 = "TWljcm9zb2Z0IUAjJCVeJiooKQ==" ascii wide
$magic2 = "DAE47700E8CF3DAB0@" ascii wide
condition:
5 of ($other*) or
any of ($magic*)