The malware then will execute a bash command to achieve the following:- Zip ~/Library/Keychains folder into the file ~/.calisto/KC.zip When executed, the malware will pop a window asking for the user’s credentials, to gain root access: Iit can also open a backdoor so the attacker will be able to connect to the system remotely, take screenshots and more.It propagates as fake “Intego Mac Internet Security” as we can see from the differences shown in the pictures below (taken from original report):
Calisto is a Trojan that steals sensitive data from the infected machine such as user passwords, Keychain data and Chrome.
