Windows 10 News and info | Forum
July 23, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Researchers Discover Calisto, a Precursor to Dangerous Proton macOS Malware  (Read 283 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 30251

I Do Windows

WWW Email
« on: July 21, 2018, 06:05:22 PM »

Security researchers have discovered a precursor of the notorious Proton macOS malware. This supposed precursor appears to have been developed back in 2016, a year before Proton and uploaded on VirusTotal, where it remained undetected for nearly two years until May 2018, when Kaspersky researchers stumbled upon it.

Researchers who analyzed the malware used the term "raw" to describe its code and capabilities.

It was clear in their analysis that the malware was still under development and did not have the same capabilities as the Proton remote access trojan.

Proton malware used in high profile hacks

Proton became a household name in the infosec community in March 2017 when threat intelligence analysts from Sixgill found it being sold on an underground hacking forum for steep prices ranging from $1,200 to $820,000.

Two months later, Proton was seen in the wild for the first time when someone hacked the website of the HandBrake app and poisoned the official app with the malware.

Proton was used again in October 2017 when hackers breached the website of the Eltima Player and injected the malware in that app as well.

Proton precursor is named Calisto

At the technical level, Proton is considered a remote access trojan (RAT) that can grant attackers full access over a computer. Such features were also found in this precursor malware, which Kaspersky nicknamed Calisto.

According to researchers, Calisto, too, can enable remote logins into infected Macs, enable screen sharing, gain persistence, add a secret root account to a victim's workstation, and collect files and send them to a remote C&C server.

The data that Calisto likes to hoard and then steal includes stuff like keychain content, details extracted from the user login/password window, network connection info, and Chrome history, bookmarks, and cookies.

SIP can stop Calisto

But despite the presence of some pretty intrusive features, Calisto was not as polished as Proton, researchers said.

The most glaring issue was that its creators appear to have developed Calisto before Apple rolled out its SIP (System Integrity Protection) security feature that prevents users/malware from tampering with critical files, even if they have an admin password.

"Calisto was developed in 2016 or earlier, and it seems that its creators simply didnít take into account the then-new technology," researchers said.

Because of this, SIP can easily stop Calisto dead in its tracks when the malware runs on modern macOS versions.

Most Mac users, unless they turn off SIP, should be safe from this threat. Furthermore, Calisto also appears to have been abandoned by its creators and hence poses a lesser risk than its more dangerous offspring, the Proton RAT.

« Last Edit: July 22, 2018, 01:22:04 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 03, 2019, 01:07:29 PM