Post Now

Researchers discovered Calisto MacOS Malware, a Predecessor of Proton Malware

Image

Kaspersky Researchers have discovered a new backdoor malware dubbed Calisto which is believed to be the predecessor of Proton malware which targets macOS users

Kaspersky Researchers have discovered a new backdoor malware dubbed Calisto which is believed to be the predecessor of Proton malware which targets macOS users. The malware was created in 2016, and for almost two years the malware managed to remain undetectable until May 2018. According to researchers, the Calisto installation file is an unsigned DMG image disguising as an Intego’s security solution for Mac. Calisto Signed application by Intego                                                                                 Unsigned After opening the file, the application presents us with a fake license agreement if we click the agree on button it asks users login username and password in order to make changes to the system on macOS. Calisto After the user enters the credentials, the programs hang for a few seconds and show an error report asking users to download a new installation file from the official Intego website. Calisto The user will be able to install the original application with no problems and error will go unnoticed. Meanwhile, the Calisto malware has already infected the system and will be running in background smoothly. If the system has enabled SIP (System Integrity Protection), the Calisto activity is limited. The malware will be able only to store Keychain storage data, extract data from the user login/password window, information about the network connection and Data from Google Chrome history, bookmarks, cookies Apple introduced the System Integrity Protection in 2015 which is designed to protect critical system file from modifying. However, if the system is not protected with SIP, the malware will be able to enable remote access to the system, harvest and forward the data to the C&C server, adds itself to accessibility, etc. Remote control access to the infected mac allows the attacker to

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
Users are advised to enable SIP, always keep your system up to date and only download signed software from trusted sources to prevent Calisto infection.