Researchers at SecureList have been studying a Trojan they have dubbed Calisto that infects macOS. Calisto attempts to pass itself off as Inetego’s security solution for Mac, although it does lack Intego’s signing signature that would make it a valid DMG image. During the installation process, the user is presented with a very convincing license agreement, that only differs only slightly from the real agreement.

If the user clicks “Agree” on the licensing prompt, they will then be prompted for their macOS credentials. For macOS applications that need to make system modifications, this is a normal process. After a brief hesitation, the user is then presented with an error message indicating that the software was unable to be installed due to being invalid. The message also indicates that the user should retrieve and install the application from the official site, Intego. If the user does so, the real version of the anti-virus software will be installed and the user may pass off the initial error as a fluke and forget about it.

Meanwhile, since the error message was a fake, the Trojan continues its installation and ensuring a foothold on the victim’s system. One system hurdle that Calisto can not overcome is SIP (System Integrity Protection). Released by Apple in 2015, SIP monitors key system files and prevents their modification, even from the all powerful root account.

Unfortunately, some users disable SIP and thus Calisto can perform its system attack. As well as entrenching itself on the system, Calisto also gathers information about the system and attempts to deliver it to its command and control server. It will also enable remote access to the system and screen sharing. Although Calisto attempts to send information back to its command and control, SecureList researchers found that the command and control server was no longer operational.

Indicators of Compromise

  • d7ac1b8113c94567be4a26d214964119
  • 2f38b201f6b368d587323a1bec516e5d
  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Do not disable SIP
  • Only download and install signed copies of software from trusted sources, such as the App Store
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices
Share this information

Related Posts