Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Calisto macOS Backdoor Remained Undetected for Two Years

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky’s security researchers say.

The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple’s macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).

Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.

The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.

“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.

Related: Supply Chain Attack Spreads macOS RAT

Related: New macOS Malware Targets Crypto-Currency Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.