Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Infections of macOS trojan 'Calisto' discovered two years after initial release

Security researchers have recently discovered infections of macOS malware named "Calisto," one that was seemingly developed in 2016 and may have been a precursor to the "Proton" macOS trojan that started to circulate in 2017.

Calisto is a trojan that takes the form of an unsigned DMG for Intego's Mac Internet Security X9, an antivirus and security suite. Kaspersky's Secure List notes it is similar to the official release, so it is likely meant to try and fool users wanting to install the software and acquiring it by other means than directly from Intego itself.

After asking users to accept an agreement, the malware then requests the user's credentials in a convincing authentication box, then after the details are entered, it shows an installation error message advising to redownload the official software. By doing this, the malware acquires the user's login details, which it can then use to perform other actions.

Creating a hidden directory, the malware has the ability to access the Keychain and acquire passwords and tokens stored by the user, as well as history, bookmark, and cookie data from Google Chrome, and to collect information about connected networks. It also has the ability to boot on startup, enable remote access to the Mac, and to forward harvested data to a remote server, among other items.

Analysis of the code also reveals functions that were under development, but ultimately unfinished. This included the ability to load and unload kernel extensions for handling USB devices, acquiring data from user directories, and the self-destruction of itself and the operating system.

Many of the active features will not work on many modern systems due to System Integrity Protection (SIP), which Apple introduced in 2015 with O SX El Capitan to protect critical system files from being modified. The researchers believe that Calisto's developers produced the malware in 2016 without taking into account SIP's restrictions, neutering most of its functionality. In order for it to be most damaging, it has to be installed on a Mac with SIP disabled, though this is relatively rare.

While many Mac users will be safe, some MacBook Pro users could unwittingly be in danger due to SIP being disabled. In November 2016, it was noted some Touch Bar models of the MacBook Pro were shipping with SIP disabled, a problem Apple later fixed with a software update.

It is noted that the malware was first submitted for review in 2016, but was largely off the radar for antivirus providers until it started to be detected on protected systems in May 2018, roughly two years later. So much time has passed that attempts to contact the server that would be the intended destination for collected user data failed — at least for now.

Kaspersky notes there are many elements that make Calisto quite similar to Proton, a form of Mac malware that surfaced in 2017. Aside from the potential to acquire large swathes of personal data, the Keychain access, and a similar distribution method, code in Calisto also seemingly refers to Proton by name.

It is suggested that Calisto could have been made by the same authors as Proton, and could potentially have been the first version or a prototype of Backdoor.OSX.Proton infections.

To help protect against similar attacks, Kaspersky recommends keeping macOS up to date, to never disable SIP, to use antivirus software, and to only run software downloaded from trusted sources, such as the Mac App Store.



5 Comments

gatorguy 13 Years · 24627 comments

"Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari." 

But the most important note is this:
"Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so."

So it's extremely unlikely that very many real-world users need be concerned with it IMHO.


Soli 9 Years · 9981 comments

gatorguy said:
"Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari." 

But the most important note is this:
"Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so."

So it's extremely unlikely that very many real-world users need be concerned with it IMHO.

You can check to see if SIP is en/disabled by using this Terminal command:

csrutil status

Alex1N 8 Years · 153 comments

Soli said:
gatorguy said:
"Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari." 

But the most important note is this:
"Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so."

So it's extremely unlikely that very many real-world users need be concerned with it IMHO.
You can check to see if SIP is en/disabled by using this Terminal command:

csrutil status

Thanks Soli, Very helpful :). Cheers, Alex

JamesBrickley 8 Years · 104 comments

Don't be stupid.  Don't pirate software.  Block advertisements.  Don't use junk like coupon software and don't fill out surveys for that $1000 Amazon Gift card or free iPad, etc. Stay away from shady websites.  Don't be Jen. https://youtu.be/XczIlID_GPM

gatorguy 13 Years · 24627 comments

...abdJamesBrickley said:

Don't be stupid.  Don't pirate software.  Block advertisements.  Don't use junk like coupon software and don't fill out surveys for that $1000 Amazon Gift card or free iPad, etc. Stay away from shady websites.  Don't be Jen. https://youtu.be/XczIlID_GPM

..and even with all those very good cautionary moves your very personal and private family, financial and otherwise unique personal information was almost certainly out there available for anyone who knew where to look if you live in the US. Yes YOU, YOUR data.  

Last month the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data, potentially impacting virtually every US consumer. Multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family members names and ages. 400 different profile fields from "whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel". The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. 

What, you didn't know about it? All these articles about privacy and "protecting our data!", yet so little real meat in them. We're all being pointed to look in the in the wrong direction because much of it has more to do with a competitive marketing advantage rather than actually doing something about protecting us from the real sources of danger. That's my .02 cents anyway. 

https://www.wired.com/story/exactis-database-leak-340-million-records/