EVERYTHING YOU NEED TO KNOW ABOUT CALISTO TROJAN IN MACOS

Remember if malware is in your computer, it can create havoc, starting from taking control of your system, to monitoring your actions and sending all sorts of confidential data from your computer or network to the attacker’s home, right under your nose and you will not even know. Actually in today’s world, increase of cyber crimes and malware have become a common theft everywhere. Hackers are finding new ways to steal confidential information from users gaining monetary benefits. One of the infamous malware that has recently spread and it has been popular due to new entrenchment techniques is the Calisto Trojan, a macOS Backdoor.

How Does It Spread?

The installation file of Calisto is an unsigned DMG image disguised as Intego’s security tool available for Mac. It is available on Intego Mac Security tool website which looks very normal but it can fool anyone since we won’t be able to distinguish between the real and the fake one as there is a minor difference.

How Does The Installation Takes Place?

After downloading and installing the app, you will get to see an agreement text on the Intego wizard. The font on the text written is different from the real one. However, the difference is not easily detectable.In the next page, users will be asked to enter macOS. As you enter the credentials, the program will get stuck and you will see an error which prompts the user to download the new installation file from the official antivirus website.Unfortunately, most people ignore the error, download & install the file again to get the security tool. But, the malicious Calisto software will start the work in the background.

How To Investigate the Trojan?

There are two scenarios

• SIP-enabled
• SIP disabled

Let’s check out both the scenarios:

SIP-enabled:

SIP (System Integrity Protection) protects important system files from being changed, regardless of a user having root permissions. Developers didn’t study and didn’t really care about the new technology of that time. Most users disable SIP. If you want to inspect Calisto activity, you can use child processes log and decompiled code.The above screenshot shows Log of commands performed by the Trojan while it is activeThe screenshot above shows hardcoded commands inside the Calisto. Upon inspecting, you can see that Trojan utilizes a hidden directory with the name .calisto to gather:

Data accumulated from credentials box by hackers:

• Storage data
• Details related to the network connection
• Data such as history, cookies, bookmarks from Google Chrome.
• If the hackers get access to login credentials, then they can access all other passwords and sensitive information on your Mac.
• Since SIP is enabled, when the Trojan tries to get activated and modify Mac system files, an error occurs. This stops the whole process.

SIP-Disabled:

When SIP is disabled, inspecting Calisto is difficult. Calisto, when installed, starts its operation and as SIP is not active or available, the operation of the malware will not be interrupted.It copies to System->Library-> Folder

• Launch Calisto
• Uninstalls the DMG image
• Attach itself to Accessibility
• Activate remote access to your system
• Sends the collected data to the C& C server.

Malware implementation operation

After its installation in Mac, it starts automatically and Calisto creates a .plist file in a directory: Library->LaunchAgents->Folder which links to malware:Calisto DMG image is un-mounted & also uninstalled through the following command:Calisto also attaches to Accessibility via changing TCC.db file. Taking Remote access of user system is one of the significant features of Calisto. To do that, it enables the following things:

• Remote login
• Screen sharing
• Remote login for everyone
• Builds remote login permissions
• Private root account in your macOS and assigns password identified in Trojan code.

The commands used are mentioned below:

How to prevent Calisto from infecting your Mac?

To avoid Calisto to affect your computer, always remember these things:

• Keep your OS updated to latest version.
• Enable SIP
• Always install software from App Store and trusted websites.
• Install antivirus software

In this way, you can identify and detect Calisto.