Calisto malware likely prototype of the Mac OSX Proton backdoor

• Malware was created in 2016 but remained under the radar till 2018.
• Calisto steals keychain storage data, system login credentials and more.

The Calisto malware is a Mac backdoor that was created in 2016, but managed to remain under the radar until earlier this year when Calisto was finally spotted. The malware comes packed with several data-stealing capabilities and is also able to function silently in an infected device, without alerting the victim about its malicious activities.

The malware authors who created Calisto disguised the malware as the ninth version of the Intego’s security for Mac. The malware convincingly mimics Intego’s icon and also displays a sham license agreement. Once downloaded, Calisto requests the user to provide system login credentials which is a common request for applications attempting to install and run on Mac systems.

However, after receiving the victim’s credentials, the malware masquerading as the antivirus programs hangs slightly and reports an error, advising the victim to download the program from Intego’s official website.

“The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission,” Kaspersky security researchers, who delved into Calisto’s infrastructure and activities, said in a blog.

Calisto’s capabilities

Kaspersky researchers uncovered that Calisto activity on Mac systems enabled with System Integrity Protection (SIP), was fairly limited. This likely indicates that Calisto, which was created at a time when SIP was still considered new technology, has not been designed to defend against and bypass SIP.

Calisto comes packed with data-stealing abilities. The malware can steal system login credentials, keychain storage data, network data, as well as Chrome history, cookies and bookmarks.

In systems with SIP disabled, Calisto can copy itself to the system, launch automatically on startup, enable remote access to the system and send all harvested information to the C2 server. Enabling remote access allows the malware to enable remote login and screen sharing as well.

Similarities to OSX Proton

According to Kaspersky researchers, Calisto shares several similarities with OSX Proton. Apart from the fact that both malware strains are Mac backdoors, Calisto also contains similar data-stealing features. Both malware strains have similar distribution methods and are capable of stealing a large amount of personal information, including Keychain contents.

Researchers suspect that the similarities between the two malware variants could indicate that Calisto may have been an earlier version of OSX Proton.

“All known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016,” Kaspersky researchers said. “Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype.”