Roughly two years after their circulation, security researchers have discovered infections of macOS malware named “Calisto”. The malware was seemingly developed in 2016 and may have been a precursor to the “Proton” macOS trojan that started to circulate in 2017.
Calisto functions as a trojan that takes the form of an unsigned DMG for Intego’s Mac Internet Security X9, an antivirus and security suite. Kaspersky’s Secure List notes it is similar to the official release, so it is likely meant to try and fool users wanting to install the software and acquiring it by other means than directly from Intego itself.
After asking users to accept an agreement, Calisto asks for the user’s login and password via a convincing authentication box. After the credentials are entered, the software shows an installation error message advising to redownload the official software. By doing this, the malware acquires the user’s login details, which it can then use to perform other actions.
Calisto then creates a hidden directory, wherein it can access the Keychain and acquire passwords, tokens, history data, bookmarks, and cookie data from Google Chrome as well as collect information about connected networks. It can also boot on startup, enable remote access to the Mac, and forward harvested data to a remote server, among other items.
Security analysts stated that the code reveals that other functions were under development, but never completed. This included the ability to load and unload kernel extensions for handling USB devices, acquiring data from user directories, and the self-destruction of itself and the operating system.
The good news is that many of Calisto’s features won’t work under more modern operating systems due to System Integrity Protection (SIP), which Apple introduced in 2015 with Mac OS X 10.11 El Capitan to protect critical system files from being modified. The researchers believe that Calisto’s developers produced the malware in 2016 without taking into account SIP’s restrictions, neutering most of its functionality. In order for it to be most damaging, it has to be installed on a Mac with SIP disabled, though this is relatively rare.
Still, some MacBook Pro users could unwittingly be in danger due to SIP being disabled. In November 2016, it was noted some Touch Bar models of the MacBook Pro were shipping with SIP disabled, a problem Apple later fixed with a software update.
Calisto was first submitted for review in 2016, but only began to be detected by antivirus providers following its emergence on protected systems in May 2018. So much time has passed that attempts to contact the server that would be the intended destination for collected user data failed, or at least for the time being.
Kaspersky notes there are many elements that make Calisto quite similar to Proton, a form of Mac malware that surfaced in 2017. Aside from the potential to acquire large swathes of personal data, the Keychain access, and a similar distribution method, code in Calisto also seemingly refers to Proton by name.
It’s thought that the creators of Calisto could have also authored Proton, which uses a similar architecture.
To help protect against similar attacks, Kaspersky recommends keeping macOS up to date, to never disable SIP, to use antivirus software, and to only run software downloaded from trusted sources, such as the Mac App Store.
Stay tuned for additional details as they become available.
Via AppleInsider and Kaspersky Labs