Researchers from Kaspersky Lab have uncovered what appears to be an early developmental prototype of the Proton backdoor malware that typically infects macOS users who download fake security applications.
Dubbed Calisto, the malware was apparently created in 2016, yet only recently began turning up in VirusTotal detections, according to a Kaspersky Securelist blog post published last week.
Blog post authors and researchers Mikhail Kuzin and Sergey Zelensky report that the Calisto installation file Kaspersky analyzed was an unsigned DMG image that convincingly impersonates a solution from Mac security software vendor Intego. While the malware has seemingly never been leveraged in an attack, other versions of Proton that have been used in the wild similarly posed as security software.
After presenting a fake license agreement, the malicious file next requests a username and password in order to make system changes that ultimately benefit the attackers. But the installation never succeeds -- instead the fake app reports an error and directs the user to download a new installation package from the official Intego site. Once victims install the genuine version of the product, they likely shrug off the anomaly that just transpired.
In a separate company blog post this week, Malwarebytes Director of Mac and Mobile Thomas Reed highlights the fact that Calisto, like the rest of the Proton family, "leaves behind a file containing the user's password in clear text," which future attackers can easily find and use to their advantage.
Proton rose to prominence in 2017 when attackers employed several supply chain attacks to replace genuine downloadable software for DVD ripping tool HandBrake and the ElMedia Player with the malware.