In this week’s report, we are covering two very malicious programs. Security researchers at Kaspersky Labs have discovered Calisto malware, which appears to be a precursor of Proton macOS malware. Researchers found that Calisto was uploaded to VirusTotal in 2016, but remained unnoticed until May 2018. This macOS malware is a backdoor that guises as an Intego’s Mac Internet Security that also asks for the user’s login and password upon installation. It enables the attacker to remotely access the system enabling remote login, screen sharing, configure remote login permissions, and enable hidden “root” account in macOS with a designated password. The second piece of interesting piece of code is Decrypter for Magniber Ransomware that has been recently released. South Korean cybersecurity firm AhnLab created decrypters for some versions of the Magniber ransomware. The Magniber ransomware, which targets only South Korean end-users, was deployed by the Magnitude Exploit Kit as early as October 2017 through malvertisements. Since malvertisements is constantly a threat on the internet, it is possible to see this spread to other financial institutions.
Malware: Calisto Malware
Interestingly, researchers found out that SIP enabled (System Integrity Protection) macOS systems prevent full damage from Calisto malware even if they have root permissions. Researchers say that Calisto malware was created before Apple released SIP security feature. Researchers still do not have any information as of now on how the malware propagates. Mac users should be safe from this malware as long as they enable SIP, update OS to the current version, download from trusted sources, and use a credible antivirus software.
Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the creation of files related to the RAT
- Intrusion detection systems (IDS) would detect communication C2 for additional payloads
- Web Filtration would detect the use of malicious URLs or unknown sites
- 24x7 Security Monitoring for malicious behavior and immediate incident response
Magnitude exploits vulnerabilities concerning memory corruption (CVE-2016-0189) in Internet Explorer. The ransomware is one of the few country- or language-specific ransomware that has been created. As of March 30, affected users can download the decrypter at AhnLab’s website, which website creators state is updated daily.
Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the creation of files related to ransomware
- Intrusion detection systems (IDS) to monitor for malicious communication to C2s
- Solid Backup strategy to restore from when machine is infected and encrypted
- 24x7 Security Monitorings to check for GPS consistency with locations of vehicles