Researchers find previously unknown, early version of 'Proton' Mac malware
Researchers find previously unknown, early version of 'Proton' Mac malware

Researchers from Kaspersky Lab have uncovered what appears to be an early developmental prototype of the Proton backdoor malware that typically infects macOS users who download fake security applications.

Dubbed Calisto, the malware was apparently created in 2016, yet only recently began turning up in VirusTotal detections, according to a Kaspersky Securelist blog post published last week.

Blog post authors and researchers Mikhail Kuzin and Sergey Zelensky report that the Calisto installation file Kaspersky analyzed was an unsigned DMG image that convincingly impersonates a solution from Mac security software vendor Intego. While the malware has seemingly never been leveraged in an attack, other versions of Proton that have been used in the wild similarly posed as security software.

After presenting a fake license agreement, the malicious file next requests a username and password in order to make system changes that ultimately benefit the attackers. But the installation never succeeds -- instead the fake app reports an error and directs the user to download a new installation package from the official Intego site. Once victims install the genuine version of the product, they likely shrug off the anomaly that just transpired.

If an infected computer has System Integrity Protection enabled on it, Calisto is only able to store machine data associated with keychain storage, the user login/password window, network connections and Google Chrome. But if SIP is not active, the malware can modify the system, enabling it to remotely access the device and harvest a variety of data that it shares with its C&C server. This server appeared to already be disabled at the time of Kaspersky Lab's investigation.

In a separate company blog post this week, Malwarebytes Director of Mac and Mobile Thomas Reed highlights the fact that Calisto, like the rest of the Proton family, "leaves behind a file containing the user's password in clear text," which future attackers can easily find and use to their advantage.

Proton rose to prominence in 2017 when attackers employed several supply chain attacks to replace genuine downloadable software for DVD ripping tool HandBrake and the ElMedia Player with the malware.