MacOS Backdoor Found after 2 Years

Monday, July 23, 2018 @ 05:07 PM gHale

A backdoor on macOS systems remained undetected for at least two years, researchers said.

Calisto is the malware that remained undetected by anti-virus solutions until May 2018, said researchers at Kaspersky Lab.

RELATED STORIES
Air Gap Alert: Attackers on Prowl
New Malware from Attack Group
New Backdoor Based on Hacking Team Tool
Mac OS Backdoor Discovered

They found it was first uploaded to VirusTotal in 2016, which they think could be the year it was created.

The backdoor is going out as an unsigned DMG image supposed to be Intego’s Internet Security X9 for Apple’s macOS.

A comparison with the legitimate application shows the threat is very convincing, said Kaspersky researchers Mikhail Kuzin, Sergey Zelensky in a post.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

The comparison looks convincing, especially if has not used the app before.

Calisto then asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with System Integrity Protection (SIP) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

Researchers said the Calisto backdoor resembles the Backdoor.OSX.Proton family:
• The distribution method is similar: It masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
• The Trojan sample contains the line “com.proton.calisto.plist”
• Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

“Recall that all known members of the Proton malware family were distributed and discovered in 2017,” the researchers said. “The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.”

To protect against Calisto and Proton, users should:
• Always update to the current version of the OS
• Never disable SIP
• Run only signed software downloaded from trusted sources, such as the App Store
• Use antivirus software



Leave a Reply

You must be logged in to post a comment.