Mac and PC users need to stay vigilant as a new malware called “Realst” is doing rounds in the crypto circles.
Cybercriminals are implementing information-stealing malware targeting both Windows and macOS users into fake blockchain games, which when installed can compromise their devices and steal valuable data like usernames, passwords, credit card information, and crypto-wallets.
Info Stealing Malware Realst Targets Mac-Based Crypto Users
Earlier this month, internet sleuth “iamdeadlyz” discovered Realst while conducting a routine security check. They found that Realst was written in Rust – an up-and-coming programming language used to create blockchain programs – and was being spread to Windows and macOS-based crypto gamers through fake game titles.
The so-called “games” are WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, Brawl Earth, and SaintLegend. Threat actors set up verified Twitter accounts and Discord channels to promote the titles through malicious websites, creating a false sense of legitimacy. Unfortunately, victims get tricked into downloading the malware and installing it on their computers.
The hackers contact victims via direct messages on social media, where they share access codes required to download the fake game from the authentic-looking website.
The access codes, designed for Mac or Windows, allow threat actors to escape the grips of security researchers looking for malicious behavior and hit their targets directly.
Once a victim installs the game, it infects their devices with info-stealing malware like RedLine Stealer on PC and Realst on Mac. The malware then proceeds to steal data contained in the victim’s web browsers and cryptocurrency wallets and send the information back to the hackers.
The Malware Looks To Be Supported On Upcoming macOS Sonoma
Cybersecurity firm SentinelOne conducted an in-depth analysis of the malware to discover that it is targeting macOS computers running 10.2 and above. Interestingly, the brains behind Realst also have their eyes set on the latest macOS 14 Sonoma, which is expected to be released in September.
SentinelOne analysts verified 59 macOS samples of Realst shared by iamdeadlyz to find 16 variants of the malware. The cloud security firm also discovered strings in Realst’s line of code that mentioned macOS Sonoma several times, indicating that the threat actors plan to stay until the latest version of the macOS is released.
SentinelOne says all 16 versions of the malware utilize different API call sets but are similar in form and function.
Confirming data shared by iamdeadlyz, the cybersecurity agency said Realst aims for browsers such as Firefox, Chrome, Opera, Brave, Vivaldi, and the instant-messaging app Telegram. However, none of the analyzed samples shown to have targeted Apple’s default browser – Safari.
How Does It Attack?
The malicious websites will download Realst into Mac computers as PKG installers or DMG disk files that contain no games but only info-stealing malware like “game.py” – a cross-platform Firefox info stealer – and “installer.py” – an open-source Chainbreaker that extracts passwords, wallet keys, and certificates stored in Mac Keychains.
SentinelOne found that some Realst samples were designed using valid Apple Developer IDs, which allowed them to bypass detection from Apple’s security tools. The IDs have since been revoked.
SentinelOne categorized the 16 variants into four main families on the basis of their distinct traits – A, B, C, and D.
Family A, which was found in a majority of the samples uses “AppleScript” to trick targets into typing their admin password in a dialog box. Family B also uses similar password spoofing to A but goes one step further by dividing relevant strings into smaller units to evade detection.
Family C is a chain breaker code that extracts data from the system’s keychain database, and Family D uses the Mac’s Terminal window to prompt the victim into entering their password, which is then used to get access to credentials stored in Keychain.
Crypto Wallets Seem To Be The Main Target
Most notably, Realst is able to empty crypto wallets, which has put security analysts on a red alert. One Twitter user who installed Brawl Earth – one of the fraudulent blockchain games created by the threat actors – found that their Ether wallet was drained 10 minutes after downloading the game from the malicious website.
Read More: ChatGPT Founder Launches Crypto That Verfies Whether User Is A Human Or A Bot
What Are The Precautions To Be Taken?
Mac users have been advised to take necessary precautions while downloading files from unverified sources. Although Apple pre-installs security services on their computers to protect customers from cyber-attacks, often times these aren’t enough.
SentinelOne has advised Mac users involved with cryptocurrencies to be cautious when it comes to downloading blockchain games.
- Users must do their due diligence before installing any program outside of Apple’s App Store.
- Protect their devices using strong passwords and 2-step authentication.
- Take extra caution when granting permission on the Mac and if possible read through the terms and conditions.
- Always keep the devices and applications up-to-date.
Read More: Crypto Couple Set To Plead Guilty For Laundering $4.5 Billion In Stolen Bitcoin
