contador web Saltar al contenido

How a macOS Trojan worked for 2 years under the antivirus radar

When we think of cyber attacks, like the famous viruses or malware, our minds soon decide how best to prevent this form of hacking that can affect millions of personal and corporate computers around the world. With the development of operating systems and their security methods, attacks (on PCs, at least) were expected to improve as well; in part this already happens, however the introduction of programming languages, such as Swift, has already proved that the design of the parasitic software interface can even be simple, but efficient.

At the same time, the macOS community had a hard time with a new type of Trojan, called ?Proton?. The malware that could collect data, run software and control the infected Mac remotely quickly spread; but what few know that another backdoor, called "Callisto", may have been the precursor to these attacks, which went on for several months of 2017.

Probably created in 2016, Calisto stayed for almost two years under the radar of the antiviruses, which were unable to find a solution to the problem. As macOS malware is not that common and Calisto definitely had some similarities to Proton, the site Securelist, from the company that produces internet security software Kaspersky Lab, decided to examine Callisto and understand how it worked and why its development was (apparently) interrupted.


It is still unclear how Calisto was distributed, however, to install the Trojan on macOS, a .dmg image of the Mac Internet Security X9 antivirus installation software from Intego was used, which also made a post on the subject.

Callisto installation window

As you can see, for the lay user who has never installed the original Intego software, the Calisto .dmg file looks quite convincing. Personally, I never stopped to analyze the installation file and verify its origin; right after downloading it, the installer was already running.


After executing the .dmg file, a fake license agreement is displayed which, unlike before, seems unconvincing at first glance. Notice, at the top, the name of the ?installation guide? used by Calisto. In addition, signed software has a small guide on the left side of the window that indicates the installation steps, which does not happen here.

License agreement used by Calisto

The text used a little differently from the one displayed by the original Intego X9 software installer probably the criminals took it from an earlier version of the security product. However, when proceeding with the installation, the software prompts the user for login and password, a common procedure when installing a program capable of making changes to macOS.

If so far there was nothing very surprising or something that would alert something wrong, from now on it starts to change. After entering the password for the administrator user, the Trojan displays a warning that the installation has failed and that the user must access the Intego website to download the antivirus software "again" this time, yes, the correct / official product.

Trojan Calisto installation failed


Because it is probably a Trojan testing, even after the complete installation of Callisto on the computer, it was still possible to limit its performance. Its activity depended on a macOS feature called System Integrity Protection (SIP, ie Proteo Integridade do Sistema), announced by Apple in 2015 with OS X El Capitan. As Apple itself explains, SIP restricts the administrator's account from making changes to protected areas of the operating system, even with the password.

Briefly, these protected areas of the system are:

  • /System;
  • / usr;
  • / bin;
  • / sbin;
  • Apps pre-installed on OS X.

Calisto worked exactly in the area / usr of the system and, even though it was ?launched? in 2016 (a year after the implementation of the SIP), its creator apparently did not take into account this new layer of security or maybe it has, since there are many users why they still leave SIP disabled.

Like most malware, the Trojan it used a directory in the system to store its information, called .calisto (the name appears). In macOS, Calisto stored the user's access keys, data extracted from the user / login window, information about the internet network and data from browsers such as history, bookmarks and Cookies.

As mentioned above, the Trojan it recorded the user's access keys, so the hacker could very well remotely access passwords for various sites saved on Safari, since the only authentication required to access this data on macOS is the administrator password.

The jump of the cat that, if SIP is activated in macOS, Calisto is unable to finish its activity when trying to modify system files. This violates the operational logic of the Trojan, making it stop.

Stolen information

With SIP deactivated, Calisto can access and modify the system files, including:

  • Copy your own files to the / System / Library directory;
  • It is configured to start automatically at login;
  • Unmount and uninstall the .dmg file;
  • Added to Security and Privacy items in Accessibility;
  • Allows remote access to the system;
  • Forwards the collected data to a remote server.

As you can see, the last step in the Trojan was to send the user's personal information to the cybercriminal's server. However, at the time the survey was carried out, the servers appeared to be disabled, giving the impression that the project was interrupted.

With respect to Proton, Calisto shared the same distribution method (through a well-known antivirus) and, like him, was able to steal a large amount of personal data from the user's system, including the access keys. Among the differences, this Trojan it was much more advanced than Callisto, and was able to access sensitive information even with SIP enabled.

· ? ·

We know that the world of cybercrime will not cease anytime soon, especially with the exponential number of sensitive data and information that can be accessed through Trojans and other malware such as Callisto. Therefore, it remains for us to go back to the first idea of ??this article and look at how best to prevent us from being the next victims of these attacks.

In the Mac world, especially, if you are ever careful to download software from its official websites (or even better, from the Mac App Store), you will hardly have to worry about anything.

via AppleInsider