GIMMICK Implant Used by StormCloud APT Targeting Users in Asia

FortiGuard Labs is aware of a new variant of the GIMMICK malware that is targeting Asian users. Discovered by researchers at Volexity, the GIMMICK implant has been attributed to the StormCloud APT group. According to the report, GIMMICK variants for macOS and Windows environments were seen. It also has been observed to be using File based command and control, specifically Google Cloud. GIMMICK has been attributed to nation state actors operating out of China. What is GIMMICK?GIMMICK is an implant that is similar to a remote access trojan (RAT) that allows the attacker to perform various instructions on the victim machine to further lateral movement. What makes this different from a RAT is that it is asynchronous in nature, moves in predefined pattern and does not really rely on an attacker to control. Once the implant is run, it follows a set of steps to further lateral movement and stores all information in a set of directories. Once these steps are completed, the exfiltrated data will be automatically uploaded to a predefined C2 server hosted on Google Drive. This allows for the implant to go undetected as traffic to Google Drive would be considered clean and not malicious traffic. What Operating Systems are Affected?MacOS and Windows platforms. Is GIMMICK Attributed to any other Groups?No. GIMMICK appears to be attributed to StormCloud only. What is the Status of Coverage?FortiGuard Labs has AV coverage in place as:Customers running the latest definitions are protected by the following (AV) signature:OSX/Gimmick.A!tr

Original Article

Leave a Reply

Your email address will not be published. Required fields are marked *