Calisto Malware: A Mac OSX Proton Backdoor Prototype?

Although originally created back in 2016, Calisto, a malware that steals system log-in details, keychain storage info and more, managed to stay “under the radar” until it was discovered in early 2018.

The malware is essentially a Mac backdoor that comes filled with numerous data-stealing abilities, and it also has the ability to silently operate within an affected device without the victim being alerted to its malevolent activities.

The creators of the malware camouflaged Calisto as the Intego’s security for Mac: the ninth version. Calisto compellingly imitates the Intego icon and it also presents a phony “license agreement.” After it has been downloaded, the malware asks for the user’s log-in info—a request that is very common among applications before they begin installation on Mac systems.

But, once the unknowing victim provides their log-in info, the camouflaged malware conveys an error message that advises the user to download the program directly from the official Intego website.

Kaspersky security researchers, who unearthed the malware’s activity on Mac computing systems, had this to say about Calisto on their blog:

“The technique is simple but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.”

Calisto Malware Capabilities

According to the Kaspersky researchers, Calisto’s activities on Mac devices enabled with System Integrity or SIP was actually rather limited, indicating that the malware wasn’t created with the ability to bypass and defend against SIP.

Along with login details and keychain storage data, Calisto can also steal network data, bookmarks, browser history, and even cookies. It can also copy itself to the system, automatically launch during startup, enable remote system access, and send all of the collected data directly to the C2 server. The enablement of remote access lets it log-in and execute screen sharing remotely, as well.

Similarities to OSX Proton

 Kaspersky researchers discovered that Calisto has many similarities with OSX Proton. They are both Mac backdoors with likened data-stealing abilities. Also, both strains have similar methods of distribution and the ability to steal large amounts of personal data.

The researchers believe that the similarities could be an indicator that Calisto may just have been a previous version of OSX Proton.

Comments anyone? Feel free to leave them below.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients