Calisto: Experts discovered the predecessor of Proton macOS malware

Security researchers discovered the precursor of infamous Proton macOS malware, called Calisto

Recently, malware researchers at Kaspersky Lab have discovered a backdoor malware which is believed to be the predecessor of Proton macOS malware. The first sample of this malicious program was uploaded to VirusTotal in 2016^[1]. Although, the infection managed to remain undetectable until May 2018. 

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

During the analysis of Calisto, IT experts have introspected malware features. It is evident that this cyber threat was still under development as Proton macOS malware was more advanced. Users should be aware that Calisto backdoor malware appears as an unsigned DMG image pretending to come from Intego’s security solution for Mac^[2]. 

Calisto allows criminals to monitor the infected device remotely

Both malicious programs, Proton macOS malware, and Calisto are categorized as Remote Access Trojans (RATs) which give the full control of the affected computers to the cybercriminals. According to the analysis, the precursor enabled screen sharing, and remote login features as well as allowed to create a new admin account with a unique password. 

Although, there were some features of Calisto RAT which were still-in-development^[3]:

• Un/loading kext to obtain USB devices;
• Accessing sensitive data from user directories;
• Destruction of OS together with malware itself.

Nevertheless, the precursor of Proton malware was capable of storing keychain, user login/password, Google chrome data in a hidden .calisto directory^[4]. 

Mac computers with SIP cannot be affected by Calisto

Researchers point out that this MacOS malware was developed before Apple released System Integrity Protection (SIP) feature. Thus, Calisto cannot bypass this mechanism. In particular, the operational logic of the Trojan is disrupted once it tries to modify system files and causes it to stop^[5]. 

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions.

Additionally, cybersecurity experts say that the following precautionary measures can help users avoid Calisto or Proton Trojans in the future:

• Never disable SIP;
• Keep Mac OS updated;
• Install only signed software from trustworthy developers;
• Use security applications.