Calisto, a version of the Mac malware called Proton, was discovered only recently but has been around for two years. Security experts say it is already dead at this point but they are not disregarding that there may still be a danger of data theft.
In a report by Security Online, security firm Kaspersky said that the virus was uploaded to VirusTotal in August 2016. However, it was then deployed “in the form of a fake Intego Mac Internet Security X9 installer” in June 2016 and for two years had totally blindsided anti-virus software.
Security experts assure that the malware is already dead at this point but it does not necessarily mean it couldn’t wreak havoc.
Malwarebytes explains how malware leaves behind “crumbs” for potential attackers in the future, after the discovery of OSX.Dummy. Proton and Calisto share the same behavior. Proton is said to leave behind a file, which has the user’s password “in clear text,” which the attackers will easily recognize. Imagine the magnitude of damage it could do when cybercriminals get hold of usernames and passwords.
Sentinel One further explains how Calisto can “enable Remote Login” on the computer by using the “systemsetup” command. The malware, in effect, is paving the way for future attackers by placing malicious code.
It was also explained that System Integrity Protection or SIP has been added to MacOS X’s El Capitan (version 10.11) on Sept. 20, 2015, which many suspect posed problems for the Calisto malware because Calisto was dependent on making changes on SIP-protected locations. Later software upgrades on Mac may have contributed to the malware’s demise.
Still, experts won’t let up and discovered that the malware will write and load a LaunchAgent onto the computer’s folder bearing the same name. However, even if it manages to get into its intended location, which is the CoreServices, the SIP would be able to block it. “While not common and certainly not recommended, users wishing to run certain software that requires installation in a SIP-protected folder are known to disable SIP for this and other reasons,” Sentinel One noted.
Users know that it is dangerous to keep password files in any device. Malwarebytes suggests “to check for them in the Terminal with commands like this (changing it for each path): ls -al ~/.calisto/cred.dat.”
If the prompt is “no such file or directory” appears, the device is clean but if not, the file has to be removed manually.