A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.
Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky’s security researchers say.
The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple’s macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.
When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.
Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.
On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.
The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).
If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.
The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).
Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.
The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.
“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
