Jamf protects against Gimmick malware from pulling the strings on macOS

Volexity researchers recently documented a new piece of malware, by a threat actor named Storm Cloud, that threatens to not only spy on Mac but use command & control (C2) protocols to manipulate your endpoints while operating from commercial, cloud-based services.

March 25 2022 by

Jamf Threat Labs


Affects: A new macOS malware variant was recently discovered by Volexity researchers, dubbed GIMMICK. The attack has been attributed to a Chinese espionage threat actor known as Storm Cloud, which targets organizations in Asia. Windows variants of this malware also exist and it appears the threat actors have been able to port their toolsets to be compatible with different operating systems.

Detected by: Jamf Protect analytics generate an alert for XProtect, blocking the execution of this malware, as of 3/17/2022 (see additional details below).

Prevented by: Jamf Protect threat prevention blocks the execution of this malware as of 3/22/2022. Apple’s XProtect has recently Apple’s XProtect has recently added a new rule to version 2158 titled MACOS.efb903b. This new rule prevents variants of the GIMMICK malware.

Malicious URLs:

Leverages cloud hosting platforms such as Google Drive for command-and-control.

IOCs (as published by Volexity)

There are no strings on me - and there shouldn't be any on your Mac either!

Trust Jamf Protect to keep your Mac fleet and sensitive data secured against existing and emerging threats.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.