Calisto Malware
News | 07/23/2018

Calisto Malware, A precursor to the Dangerous Proton Mac OS malware Discovered by researchers!

About: Calisto malware, a precursor to the Proton Mac OS malware was recently discovered in May 2018, although it was uploaded on VirusTotal in 2016. Researchers found many similarities to the Proton Mac OS malware which was discovered in 2017 and affected ...  Read More  

| News | Calisto Malware, A precursor to the Dangerous Proton Mac OS malware Discovered by researchers!

Calisto malware, A precursor to the Dangerous Proton Mac OS malware Discovered by researchers!

Calisto Malware, a precursor to the nasty Proton Mac OS malware was recently detected by researchers in May 2018. This piece of code, supposedly a precursor was uploaded on VirusTotal back in 2016. It remained undetected for nearly 2 years before being found recently.

Calisto Malware seems to have been the RAW version of the Proton Remote Access Trojan which infected systems in 2017. The Researchers deduced that many features of the Calisto Malware were still under development and were similar to the Proton Remote Access Trojan.

The Proton remote access Trojan had Features which were not present in the Calisto Malware and were probably later developed and implemented in it. The Calisto malware file is an unsigned DMG image that was disguised as an Intego’s Security solution provided for Mac OS.

Mac OS Proton RAT malware

The Proton Remote Access Trojan was being offered on sale by cyber miscreants on an underground hacking forum between a price ranging from $1,200 and $820,000 for the whole software project.

The Proton RAT malware’s first victim was the website of the Handbrake app. The threat actors infected the official application with the Proton Malware. Later in October 2017, many legitimate applications such as Elmedia Player and its download manager Folx were infected by this malware for Mac OS.

Being Remote Access Trojans, both Calisto and Proton give full access to the threat actors to the user’s System. The Cyber miscreants are able to have control over the following features using the Calisto Malware:

  • Remote login is enabled on the system
  • Screen sharing capabilities enabled
  • Configures Remote login permissions for the user
  • A Hidden ‘root’ account is enabled in the Mac OS and the password set is the one specified in the Trojan code.
  • Allows remote login to all
  • Collects files and sends them to remote C&C servers of the Cyber miscreants
  • Collects data that includes username/password information, network connection information, Chrome History, Bookmarks, History and cookies etc.

There were some features which were found to be unfinished or under development:

  • Data theft from the user’s directories
  • Kernel extensions being loaded/unloaded for handling USB devices
  • Self-destruction capability together with the OS

It should be mentioned that the Calisto malware was developed before Apple rolled out the System integrity Protection or SIP security mechanism for Mac OS. Since, it was developed before SIP, Calisto was unable to bypass many of the security measures implemented by Apple. The Threat actors failed to take into account the new security technology and did not enable capabilities to bypass and infect critical files of the Apple systems. Apple had announced the SIP security mechanism in 2015 with the Mac OSX El Capitan.

Users are advised to keep the SIP security Features Enabled to keep their system protected from malware threats such as Calisto and Proton. Some Precautions that a user needs to implement on their System are:

  • Keep the system OS updated with the latest versions.
  • Don’t disable the SIP security mechanism software
  • Only run software that is downloaded from trusted sources, preferably the official App Store
  • Anti-Virus should be always enabled in the System

The developers of Calisto seem to have abandoned the malware for Proton Remote access Trojan. With no activity for almost two years after Calisto was uploaded on the VirusTotal site and its inability to breach the SIP security mechanism, this virus is a lesser risk then the Proton Remote Access Trojan.

Hits: 82

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866