MacOS Proton RAT’s Predecessor Calisto Discovered on VirusTotal

Between the 2nd and 6th of May, a HandBrake software download mirror link (download.handbrake.fr) was compromised and the developers posted a warning notice on the 6th of May to guide users in determining whether their MacOS systems were infected by the notorious Proton Remote Access Trojan (RAT). It was reported that approximately 50% of all the downloads carried out in that time frame resulted in infected device systems. Now, researchers at Kaspersky have managed to stumble across a predecessor of the Proton RAT malware, Calisto, which they believe was developed a year before Proton as it did not have the ability to bypass System Integrity Protection (SIP) which demands admin credentials for the editing of fundamental files, a feature that was being enhanced at the time. Kaspersky’s researchers have concluded that Calisto was abandoned in favor of Proton as Calisto’s code appeared unpolished. Calisto was discovered on VirusTotal, and it seems that the virus remained there for two to three years undetected until now.

The Proton RAT is a dangerous and powerful malware first released in late 2016 that uses genuine Apple code signing certificates to manipulate the system and gain root access in MacOS devices. The malware is able to bypass all security measures in place, including iCloud’s two factor authentication and the System Integrity Protection, so that it may remotely monitor computer activity by logging keystrokes, executing false pop-ups to collect information, taking screenshots, remotely viewing all the activity on the screen, extracting data files of interest, and watching the user through his or her webcam. There seems to be a simple way to remove the malware once detected but if it is found to have been active on the system (if the process “Activity_agent” appears in the Activity Monitor Application on the device), users can be certain that it has stored all of their passwords and accessed any data saved in browsers or Mac’s own keychain. Therefore, users are requested to change them on a clean device instantly to avoid compromising their financial and online data.

What’s most interesting about the Proton RAT is that, according to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the malware’s creator advertised it as a monitoring software for corporations and even parents for home use monitoring of their children’s digital activity. This software bore a price tag between USD $1,200 and USD $820,000 based upon the licensing and features granted for user. These “monitoring” features, however, were illegal and as hackers got their hands on the code, the program was sent out through many downloads under YouTube videos, compromised web portals, the HandBrake software (in the case of which the HandBrake-1.0.7.dmg was replaced with a OSX.PROTON file), and through the dark web. Although users have nothing to fear with Calisto as long as their SIP is enabled and working, researchers find the code’s ability to manipulate the system with authentic Apple credentials alarming and fear what future malware may be able to do employing the same mechanism. At this stage the Proton RAT is removable once detected. Working on the same fundamental certificate manipulation, however, the malware could soon latch itself to systems as a permanent agent.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.