History of Calisto
Lately, Kaspersky Lab have discovered a backdoor which dubbed as Calisto MacOS that remained undetected for almost two years. This backdoor or also can be clarify as malware was been found uploaded to the VirusTotal in the year of 2016.
How the Malware spread?
The Calisto MacOS is being spread to the victims by using an unsigned DMG image format.
This DMG image format did impersonation as one of Intego’s Internet Security X9 for the Apple’s MacOS. As a result, the victims believe that they are installing the legitimate application image. The reason is to trick the user to think so and will success if the user that never encountered with the application before.
The Malware uses a hidden directory that called .calisto where it will store the keychain storage data. This data can be extracted from the user details such as user login and password, network connection and all Google Chrome that related to cookies.
How Calisto Work?
Surely, a lot of people curious on how this malware effect you.
Normally, the user will run the application and get the legit agreement interface of the application
Calisto will show a fake license agreement interface which it will look slightly the same to legitimate Intego’s agreement interface.
When above activity taken action, Calisto will ask the victims on the user login and password to get the credentials of the user which is similar to phishing attack.
Based on some of the Calisto characteristics, the trojan have the same characteristics with the Backdoor.OSX.Proton
Kaspersky have concludes that
“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.
OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton”