Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [1] [2]

ID: S0274
Contributors: Cody Thomas, SpecterOps

Platforms: macOS

Version: 1.0

Techniques Used

EnterpriseT1098Account ManipulationCalisto adds permissions and remote logins to all users.[2]
EnterpriseT1217Browser Bookmark DiscoveryCalisto collects information on bookmarks from Google Chrome.[1]
EnterpriseT1043Commonly Used PortCalisto attempted to contact the C2 server over TCP using port 80.[1]
EnterpriseT1136Create AccountCalisto has the capability to add its own account to the victim's machine.[2]
EnterpriseT1002Data CompressedCalisto uses the zip -r command to compress the data collected on the local system.[1][2]
EnterpriseT1005Data from Local SystemCalisto can collect data from user directories.[1]
EnterpriseT1074Data StagedCalisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[1][2]
EnterpriseT1107File DeletionCalisto has the capability to use rm -rf to remove folders and files from the victim's machine.[1]
EnterpriseT1158Hidden Files and DirectoriesCalisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[1][2]
EnterpriseT1141Input PromptCalisto presents an input prompt asking for the user's login and password.[2]
EnterpriseT1142KeychainCalisto collects Keychain storage data and copies those passwords/tokens to a file.[1][2]
EnterpriseT1159Launch AgentCalisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.[1]
EnterpriseT1152LaunchctlCalisto uses launchctl to enable screen sharing on the victim’s machine.[1]
EnterpriseT1036MasqueradingCalisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[1]
EnterpriseT1105Remote File CopyCalisto has the capability to upload and download files to the victim's machine.[2]
EnterpriseT1016System Network Configuration DiscoveryCalisto runs the ifconfig command to obtain the IP address from the victim’s machine.[1]