Calisto macOS Backdoor Remained Undetected for Two Years
23.7.2018 securityweek Apple

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky's security researchers say.

The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple's macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).

Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.

The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.

“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.