MacOS system security can be easily bypass

Careless internet users, even theoretically the safest (immediately after Linux) operating system of Apple will not guarantee security at a sufficiently high level, if for their own convenience, users will disable features that protect against malware. MacOS system security can be broken just as easily as Windows and not sophisticated attacks at all. All you need is a well-prepared social engineering attack on imprudent Internet users.

Researchers from Kaspersky Lab have detected a Trojan (called Calisto) that infects macOS operating systems. The Trojan was impersonating the Intego antivirus program of Mac Internet Security X9, and once installed in the system, it gave attackers the possibility of remote backdooring into the file system.

Researchers from Kaspersky Lab describe the entire process of Trojan analysis: it began with the development of malicious functions. Initially, the first prototype of the pest had limited functionality or even did not occur in the wild. The first samples associated with the backdoer were sent to VirusTotal in 2016, but only recently have the detections of the final version of the Calisto Trojan appeared.

Experts are not sure about the distribution of the malware. Usually in such cases, a scam or well-prepared website that pretends to be an antivirus and contains a download link - the infection process started with the launch of an unsigned DMG file under the guise of the MacOS Internet Security X9 antivirus solution for macOS. For comparison, would you recognize a real installer?

mac internet security X9

During installation, the user receives a very convincing license agreement, which differs only slightly from the actual one.

antywirus umowa licencyjna

After accepting the terms, the fake anti-virus asks you to enter your username and password. This is quite normal behavior when installing programs that make changes to the system.

zabezpieczenia systemu macos root

When the credentials are passed, the program hangs and suggests re-downloading the installer. Real time this time. From the manufacturer's side.

macos błąd

In the meantime, the user will either ignore the installer and take on his own business or continue the installation of a real security program. But the milk has already been spilled because in the background the Trojan introduces harmful changes. At this stage, the only protection against further consequences is the SIP (System Integrity Protection) function, which was introduced to the system with the release of OS X El Capitan. It is responsible for monitoring key files and system catalogs, preventing them from being modified by processes that do not have an Apple digital signature. Unfortunately, some users disable SIP because they can not freely modify certain system settings, even with root privileges. Calisto continues his installation.

In the final phase, the Trojan becomes a backdoor - gathers information about the system and forwards it to a server controlled by the criminal. It also allows remote access to the system, opening the back gate or using the tools built into the system. As the Trojan works with administrator privileges, it can deeply hide in the system and hide its activity.

To control and collect information from machines, a server with the IP address 40.87.56.192 was used, which has now stopped working. Details on VirusTotal.

Additional IoC:

  • d7ac1b8113c94567be4a26d214964119
  • 2f38b201f6b368d587323a1bec516e5d
  • 40.87.56.192

To secure the macOS system against similar pests, it is recommended to update the updates, install the antivirus program, install programs only from trusted sources, but above all not to disable SIP. More advanced users can search the system for infection indicators (IoC). You can use these security tools and these for this purpose.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.