Security researchers have discovered a precursor of the notorious Proton macOS malware dubbed as Calisto, remained undetected from the radar of antivirus solutions for years.
This supposed precursor appears to have been developed back in 2016, a year before Proton and uploaded on VirusTotal. It remained undetected for nearly two years until May 2018, when Kaspersky researchers stumbled upon it.
Researchers who analyzed the malware used the term “raw” to describe its code and capabilities.
It was clear in their analysis that the malware was still under development and did not have the same capabilities as the Proton remote access trojan.
READ ALSO: Website of Popular MacOS Software Hacked to Spread RAT.
Proton malware used in high profile hacks
Proton became a household name in the infosec community in March 2017 when threat intelligence analysts from Sixgill found it being sold on an underground hacking forum for steep prices ranging from $1,200 to $820,000.
Two months later, Proton was seen in the wild for the first time when someone hacked the website of the HandBrake app and poisoned the official app with the malware.
Proton was used again in October 2017 when hackers breached the website of the Eltima Player and injected the malware in that app as well.
At the technical level, Proton is considered a remote access trojan (RAT). It grants attackers to have full access over a computer. Such features were also found in this precursor malware, which Kaspersky nicknamed Callisto.
According to researchers, Callisto can also enable remote logins into infected Macs. It can enable screen sharing, gain persistence, add a secret root account to a victim’s workstation, and collect files and send them to a remote C&C server.
Not only Chrome history, bookmarks, and cookies but stuff like keychain content, details extracted from the user login/password window and network connection info can also be done by Callisto.
SIP can stop Callisto
But despite the presence of some pretty intrusive features, Callisto was not as polished as Proton, researchers said.
Callisto was developed before Apple rolled out its SIP (System Integrity Protection) security feature. It prevents users/malware from tampering with critical files, even if they have an admin password.
“Callisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology,” researchers said.
Because of this, SIP can easily stop Callisto dead in its tracks when the malware runs on modern macOS versions.
Most Mac users, unless they turn off SIP, should be safe from this threat. Furthermore, Callisto also appears to have been abandoned by its creators. Hence poses a lesser risk than its more dangerous offspring, the Proton RAT.