– Copy itself to “/System/Library/CoreServices/launchb.app” – Enable remote login to the system / Activate Apple Remote Desktop – Modify TCC.db to make malware application bundle as “Assistive Access”, means the malware will have accessibility rights without the need for password – Save user name and password into ~/.calisto/cred.dat – Save computer IP address into ~/.calisto/network.dat The malware then will execute a bash command to achieve the following:- Zip ~/Library/Keychains folder into the file ~/.calisto/KC.zip When executed, the malware will pop a window asking for the user’s credentials, to gain root access: Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report): Calisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome.
