Posted: July 24, 2018 by

Last updated:

A new variant of the Mac malware Proton, which was rampant on macOS last year, has been found dating back to at least two years ago. Learn how this could still affect your Mac today.

Last week, Kaspersky reported on a new variant of the Mac malware Proton, which they have dubbed Calisto, that has been around for at least two years. Calisto is thoroughly dead at this point, but there are still potential security implications involved with these older infections.

Proton was first revealed to the world back in February 2017 via an Apple security update. It was later seen in the wild when the popular DVD ripping tool Handbrake was hacked to distribute Proton in May. It was seen again in October following a hack of the Eltima Software website that resulted in Elmedia Player and Folx being modified to drop Proton. Yet another incident was recorded when Proton was installed by a fake Symantec app, distributed from a fake Symantec blog promoted by search engine optimization tricks.

Proton has been perhaps the most high-profile pieces of malware in recent Mac history. But it appears the story began much earlier than previously believed. Kaspersky’s discovery of Calisto, which turns out to be an earlier variant of Proton, provides that evidence.

Calisto’s behavior

Calisto, which was distributed in the form of a fake Intego Mac Internet Security X9 installer, was first submitted to the malware-tracking site VirusTotal on August 2, 2016. As Intego’s X9 software was first released on June 20, 2016, that places a distinct time range on the first appearance of this malware. However, there are signs that there might have been even earlier variants of this malware.

Fortunately, this malware is truly and effectively dead at this point, as the server it attempts to call home to no longer exists.

The addition of System Integrity Protection (SIP) to Mac OS X 10.11 (El Capitan) on September 30, 2015, caused problems for this malware. Yet, Calisto relies on being able to make changes to several SIP-protected locations, and some of its functionality fails on El Capitan or later systems. This fact is interesting, as it implies that the malware may have been created prior to this release.

Despite the fact that the malware is unable to perform some of its duties on a modern system, it will still gather password-related files, just like later variants of Proton, meant for exfiltration to a malicious server (which is no longer responding). It’s these files that provide the most reason for interest in this malware, and other variants of Proton, today.

Password leaks

Earlier this month, with the discovery of OSX.Dummy, we discussed the issue of malware leaving behind sensitive data for other future attackers to find. Proton does the same thing, and the Calisto variant is no different.

Proton, just like Dummy, leaves behind a file containing the user’s password in clear text. In the case of the different variants of Proton, these files are located at the following locations:

~/.calisto/cred.dat ~/Library/VideoFrameworks/.crd /Library/.cachedir/.crd

It’s important to ensure that these files do not exist on your system—or any systems that you control.

Why? Well, suppose that you’re a bad guy, and you’ve got access to a system that you want to attack, either through malware or direct access. But, you don’t know the user’s password. If you knew it, you could significantly escalate your attack. One way to get that would be to ask the user, but that might raise suspicions.

What if you could find the password right there, and just pick it up and start using it? On systems that have previously been infected by something like Proton or Dummy, that’s exactly what you could do. A hacker has simply to look for these files, and they’ll find the username and password all wrapped up with a nice bow on it, ready to use.

Remediation

It’s important to make sure these password files don’t exist on your Mac. You can check for them in the Terminal with commands like this (changing it for each path):

ls -al ~/.calisto/cred.dat

If the command complains that there is “no such file or directory,” you’re clean. If not, you’re going to need to remove that file. This gets a little tricky, since the files are all either invisible or in invisible folders. So seek help from an expert if you don’t know how to do this.

As an alternate solution, Malwarebytes for Mac will remove all of these items for you.