The New Cryptocurrency Heist: Realst macOS Malware

It has been found that an all-new malware, labeled “Realst,” is on a large-scale mission to target Apple devices. Astoundingly, the malware already supports macOS 14 Sonoma, which is yet to be released. A prominent security analyst, iamdeadlyz, initially made this discovery. The Realst macOS Malware, surreptitiously inserted into deceptive blockchain games, affects users on both Windows and macOS.

Masquerading Malware: The Trap Set by Fake Games

Deceptively named games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend are utilized by criminals. These games are circulated via social media, with potential victims receiving access codes through direct messages. This method also allows fraudsters to screen out those they wish to exploit, thereby avoiding security experts eager to expose their operation.

The so-called game installers deliver a potent punch of malware, like RedLine Stealer for Windows and Realst for macOS. This malware is designed to extract data from web browsers and cryptocurrency wallet apps on the victims’ computers. This data is then sent back to the criminals.

Realst MacOS Malware: A Deep Dive into its Unique Characteristics

SentinelOne revealed several unique features after analyzing 59 Mach-O samples of the Realst malware found by iamdeadlyz. The study revealed 16 versions of the macOS malware, indicative of an intense and rapid development cycle.

When an unsuspecting user tries to download the fraudulent game, the malware offered to them depends on their operating system. Windows users typically receive the RedLine Stealer, with other alternatives such as Raccoon Stealer and AsyncRAT. Mac users, however, are served the Realst malware disguised as PKG installers or DMG disk files containing harmful Mach-O files.

Security Bypass: How Realst Evades Detection

Interestingly, SentinelOne found that some malware samples are code-signed using Apple Developer IDs, which, while valid initially, are now revoked. Other samples use ad-hoc signatures. These tactics are employed to bypass detection from security tools.

Variants of Realst Malware: Four Families of Deception

Each of the 16 variants of Realst shares a common purpose and form, but they operate using different API call sets. They all target popular browsers and apps, like Firefox, Chrome, Opera, Brave, Vivaldi, and Telegram. However, none of the Realst samples were found to target Safari.

SentinelOne’s report discloses that the variants extract users’ passwords and check if the host device is not a virtual machine. The gathered data is stashed in a folder simply named “data.” The location of this folder varies depending on the version of the malware.

Based on their distinctive traits, these 16 variants are divided into four main families, A, B, C, and D.

Detailed Look into the Four Families

Family A, with the most samples in circulation, uses “AppleScript spoofing” to trick users into providing their admin password. Then Family B operates similarly but breaks down relevant strings into smaller units to evade detection. Family C possesses a reference to the chain breaker within the binary, allowing it to extract data from the system’s keychain database. Lastly, Family D uses the Terminal window to ask the victim to enter their password, enabling it to dump stored credentials from the Keychain.

The most alarming detail is that about 30% of the samples from families A, B, and D are being prepared to target the upcoming macOS 14 Sonoma. This anticipatory action implies that the culprits are preparing for Apple’s future OS release.

A Cautionary Note to macOS Users

macOS users are advised to approach blockchain games with caution. The actors behind Realst employ Discord channels and “verified” Twitter accounts to create a facade of legitimacy. Given that these games are specifically targeted at cryptocurrency users, the primary objective will likely be the theft of cryptocurrency wallets and their valuable content. Consequently, users are urged to stay vigilant to avoid such costly attacks.