Infections of macOS trojan 'Calisto' discovered two years after initial release

By Malcolm Owen

Security researchers have recently discovered infections of macOS malware named "Calisto," one that was seemingly developed in 2016 and may have been a precursor to the "Proton" macOS trojan that started to circulate in 2017.

Calisto is a trojan that takes the form of an unsigned DMG for Intego's Mac Internet Security X9, an antivirus and security suite. Kaspersky's Secure List notes it is similar to the official release, so it is likely meant to try and fool users wanting to install the software and acquiring it by other means than directly from Intego itself.

After asking users to accept an agreement, the malware then requests the user's credentials in a convincing authentication box, then after the details are entered, it shows an installation error message advising to redownload the official software. By doing this, the malware acquires the user's login details, which it can then use to perform other actions.

Creating a hidden directory, the malware has the ability to access the Keychain and acquire passwords and tokens stored by the user, as well as history, bookmark, and cookie data from Google Chrome, and to collect information about connected networks. It also has the ability to boot on startup, enable remote access to the Mac, and to forward harvested data to a remote server, among other items.

Analysis of the code also reveals functions that were under development, but ultimately unfinished. This included the ability to load and unload kernel extensions for handling USB devices, acquiring data from user directories, and the self-destruction of itself and the operating system.

Many of the active features will not work on many modern systems due to System Integrity Protection (SIP), which Apple introduced in 2015 with O SX El Capitan to protect critical system files from being modified. The researchers believe that Calisto's developers produced the malware in 2016 without taking into account SIP's restrictions, neutering most of its functionality. In order for it to be most damaging, it has to be installed on a Mac with SIP disabled, though this is relatively rare.

While many Mac users will be safe, some MacBook Pro users could unwittingly be in danger due to SIP being disabled. In November 2016, it was noted some Touch Bar models of the MacBook Pro were shipping with SIP disabled, a problem Apple later fixed with a software update.

It is noted that the malware was first submitted for review in 2016, but was largely off the radar for antivirus providers until it started to be detected on protected systems in May 2018, roughly two years later. So much time has passed that attempts to contact the server that would be the intended destination for collected user data failed -- at least for now.

Kaspersky notes there are many elements that make Calisto quite similar to Proton, a form of Mac malware that surfaced in 2017. Aside from the potential to acquire large swathes of personal data, the Keychain access, and a similar distribution method, code in Calisto also seemingly refers to Proton by name.

It is suggested that Calisto could have been made by the same authors as Proton, and could potentially have been the first version or a prototype of Backdoor.OSX.Proton infections.

To help protect against similar attacks, Kaspersky recommends keeping macOS up to date, to never disable SIP, to use antivirus software, and to only run software downloaded from trusted sources, such as the Mac App Store.