S0274 Calisto
Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. 1 2
| Item | Value |
|---|---|
| ID | S0274 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | Calisto adds permissions and remote logins to all users.2 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Calisto uses the zip -r command to compress the data collected on the local system.12 |
| enterprise | T1217 | Browser Information Discovery | Calisto collects information on bookmarks from Google Chrome.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Calisto has the capability to add its own account to the victim’s machine.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | Calisto collects Keychain storage data and copies those passwords/tokens to a file.12 |
| enterprise | T1005 | Data from Local System | Calisto can collect data from user directories.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Calisto has the capability to use rm -rf to remove folders and files from the victim’s machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | Calisto has the capability to upload and download files to the victim’s machine.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | Calisto presents an input prompt asking for the user’s login and password.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Calisto‘s installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.1 |
| enterprise | T1016 | System Network Configuration Discovery | Calisto runs the ifconfig command to obtain the IP address from the victim’s machine.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.001 | Launchctl | Calisto uses launchctl to enable screen sharing on the victim’s machine.1 |