Calisto: Experts discovered the predecessor of Proton macOS malware

by Lucia Danes - - 2018-07-27

Security researchers discovered the precursor of infamous Proton macOS malware, called Calisto

Calisto MacOS malware image Calisto is the precursor of Proton MacOS malware. It was developed in 2016 or earlier. So, users with SIP enabled cannot get infected.

Recently, malware researchers at Kaspersky Lab have discovered a backdoor malware which is believed to be the predecessor of Proton macOS malware. The first sample of this malicious program was uploaded to VirusTotal in 2016^[1]. Although, the infection managed to remain undetectable until May 2018.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

During the analysis of Calisto, IT experts have introspected malware features. It is evident that this cyber threat was still under development as Proton macOS malware was more advanced. Users should be aware that Calisto backdoor malware appears as an unsigned DMG image pretending to come from Intego’s security solution for Mac^[2].

Calisto allows criminals to monitor the infected device remotely

Both malicious programs, Proton macOS malware, and Calisto are categorized as Remote Access Trojans (RATs) which give the full control of the affected computers to the cybercriminals. According to the analysis, the precursor enabled screen sharing, and remote login features as well as allowed to create a new admin account with a unique password.

Although, there were some features of Calisto RAT which were still-in-development^[3]:

Un/loading kext to obtain USB devices;
Accessing sensitive data from user directories;
Destruction of OS together with malware itself.

Nevertheless, the precursor of Proton malware was capable of storing keychain, user login/password, Google chrome data in a hidden .calisto directory^[4].

Mac computers with SIP cannot be affected by Calisto

Researchers point out that this MacOS malware was developed before Apple released System Integrity Protection (SIP) feature. Thus, Calisto cannot bypass this mechanism. In particular, the operational logic of the Trojan is disrupted once it tries to modify system files and causes it to stop^[5].

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions.

Additionally, cybersecurity experts say that the following precautionary measures can help users avoid Calisto or Proton Trojans in the future:

Never disable SIP;
Keep Mac OS updated;
Install only signed software from trustworthy developers;
Use security applications.

About the author

Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References

^ Bradley Barth. Researchers find previously unknown, early version of 'Proton' Mac malware. SC Magazine. Breaking news on cybersecurity.
^ Malcolm Owen. Infections of macOS trojan 'Calisto' discovered two years after initial release. AppleInsider. Apple news and rumors since 1997.
^ Pierluigi Paganini. Experts discovered Calisto macOS Trojan, the first member of Proton RAT family. Security Affairs. Read, think, share.
^ Zainab Imran. MacOS Proton RAT’s Predecessor Calisto Discovered on VirusTotal. Appuals. Latest IT News.
^ Mikhail Kuzin, Sergey Zelensky. Calisto Trojan for macOS. Securelist. Kaspersky Lab's cyberthreat research and reports.