Calisto trojan for macOS spreading via Mac Internet Security X9

Cybercriminals are spreading a backdoor trojan horse disguised as a popular antivirus software. Here’s how you can keep your system safe from Calisto if you own a MacBook or iMac.

What is Calisto?

Calisto is a powerful backdoor trojan that steals sensitive user data. Security researchers Mikhail Kuzin and Sergey Zelensky were the first to discover this trojan.

Surprisingly, this malware was uploaded on VirusTotal back in 2016. However, major antivirus tools only started detecting it only recently.

Cybercriminals are spreading this malware disguised as Intego_v9.0.3_websetup, the ninth version of Intego’s antivirus installer.

The bogus installer looks exactly like the authentic one – except for a few options that can easily fly under the radar of the average user.

How it infects macOS

  • The user launches the installer and inputs the username and password.

  • Once the installer receives the credentials, it throws the “installation failed” error. The message advises the user to download a new package from the official website of Intego.

  • With the backdoor in place, the unsuspecting user downloads and installs a genuine copy of the program and forgets about the error.

Calisto steals and transmits sensitive user data    

Though Calisto is a very powerful trojan, the SIP (System Integrity Protection) feature of macOS significantly reduces its efficacy. Nevertheless, it’s still able to get its hands on some juicy user data.

Once it bypasses all the defenses (excepting SIP), it steals keychain storage data, user credentials, network data, Chrome browsing history, bookmarks, and cookies. It stores all that information in a hidden directory called “.calisto”.

If SIP is disabled, the trojan becomes even more potent – it harvests more information about the system, enables remote access, and forwards data to a command-and-control server.

Interestingly, the server the data gets forwarded to is ostensibly disabled and doesn’t answer any requests.

This suggests that the cybercriminals behind Calisto may not be actively using the malware to steal data.

Wrapping up

If you are using an unauthorized copy of Intego’s Mac Internet Security x9, you should contact the developers as soon as possible.

The number of viruses developed for macOS may not be anywhere near Windows, but it is certainly increasing.

To keep your computer safe from threats, only use authorized software and tools and stick to official sources whenever possible.

(Source – Securelist)

Leave a Reply