Cyber security solutions vendor Stealthcare has warned Mac users that the Calisto Trojan is back. Calisto was originally seen in 2016 but quickly disappeared to be replaced with newer versions of the Mac malware Proton. The malware has the ability to access the Keychain app on MacOS. This allows it to steal user credentials, including passwords, for any site the user accesses.
In its latest weekly Stealthcare Alert, the company warns clients: “The operator’s motives are unclear as this backdoor provides total access to the infected machine, offering myriad possible courses of action. Calisto also contains several unfinished functionalities suggesting it is still in active development.
“Calisto’s functions include loading and unloading the kernel extensions for handling USB drives, data theft from user directories, and self-destruction together with the destruction of the Operating System.”
How much of a threat does Calisto pose?
It’s an interesting question. System Integrity Protection (SIP), introduced by Apple in 2015, blocks many of the features of Calisto. Several security researchers have suggested that this is one of the reasons that the malware never really took off. It might also explain why the authors left chunks of functionality unfinished as they were not sure how to overcome SIP.
Apple has since issued several updates to MacOS that should prevent Calisto from working. It has also issued patches for any MacBook that may have SIP disabled. Additionally, the infrastructure, such as the C&C servers that Calisto was coded to use, are no longer live.
But does this mean that Calisto is not a threat? The answer is no. Just because SIP is enabled, does not mean that Calisto cannot grab data from the computer. All it means it that is has nowhere, at present, to send it. An update with a new C&C component and the completion of the unfinished functionality could quickly address this issue.
What does this mean
The security industry knows that old vulnerabilities and old malware never completely go away. They sit dormant until people have forgotten about them and then return. They also take advantage of lazy patching or by users disabling security features in order to attack them.
The latter is more common in mobile devices and is known as jailbreaking. It allows users to install apps from sources other than official app stores. Users take the risk of lowering the security on their device and being more easily infected with malware.
SIP on MacOS has had a chequered past. When it first appeared it interfered with the way some apps worked. Apple said this was down to poor coding practices and that any app which was properly code-signed would run. That has not prevented some users from disabling SIP. Looking around the Internet there are dozens of articles on how to disable SIP. Doing so would make it far easier for Calisto and other MacOS malware to work.
As Calisto comes from a family of known malware, Mac users running up-to-date endpoint protection should be safe from this Trojan.