In early July, security researcher iamdeadlyz reported on several fake blockchain games being used to infect both Windows and macOS targets with infostealers capable of emptying crypto wallets and stealing saved password and browsing data.
In the case of macOS, the infostealer turned out to be a new one written in Rustmalware called “realst”. Building on an earlier analysis, SentinelLabs, SentinelOne’s research arm, identified and analyzed 59 malicious Mach-O samples of the new malware. It became apparent that some samples are already targeting Apple’s upcoming operating system version macOS 14 Sonoma.
spread of the malware
Realst Infostealer is distributed using malicious websites promoting fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The campaign appears to have ties to former infostealer PearlLand . Each version of the fake blockchain game is hosted on its own website, complete with associated Twitter and Discord accounts. As reported by iamdeadlyz, threat actors have been observed targeting potential victims via direct messages on social media.
Detailed analysis of realst variants
Behaviorally, the Realst samples look fairly similar across all variants and can be detected in a similar way to other macOS infostealers. Although they sometimes use different API calls and have some variant dependencies, from a telemetry perspective, the key to all these infostealers is access and exfiltration of browser data, crypto wallets, and keychain databases. Browsers targeted include Firefox, Chrome, Opera, Brave, and Vivaldi. Safari was not a target in any of the analyzed examples. Furthermore, it was found that the malware also targets the Telegram application.
SentinelLabs analysis identified 16 variants in 59 samples, which were grouped into four major families: A, B, C, and D. There are a number of overlaps that would allow the dividing lines to be drawn differently. The security researchers have settled on the following taxonomy based on string artifacts designed to help threat hunters better identify and detect:
Realst Variant Family A
Of the 59 Mach-O samples analyzed, 26 fall into variant A. This variant has a number of subvariants, but they all share a common trait not found in variants B, C, and D: The inclusion of whole strings related to AppleScript spoofing. The Family A variants use AppleScript spoofing in a manner similar to that observed in previous macOS thefts.
Realst variant family B
The B family variants also exhibit static artifacts related to password spoofing, but these samples excel at breaking up the strings into smaller units to bypass simple static detection. It was found that 10 of the 59 samples fall into this category.
Realst variant family C
Family C also tries to hide the AppleScript spoofing strings by breaking the strings in the same way as variant B. However, variant C differs in that it introduces a reference to chainbreaker in the Mach-O binary itself . 7 of the 59 samples fell into this category.
Realst variant family D
In family D, which accounts for 16 of the samples, there are no static artifacts for osascript spoofing. Passwords are read out by a prompt in the terminal window using the “get_keys_with_access” function. Once the password is captured, it is immediately passed to sym.realst::utils::get_kc_keys, which then attempts to retrieve passwords from the keychain.
Effective protective measures for companies
All known variants of Realst macOS Infostealer are detected by the SentinelOne agent and prevented from running if the Prevent site policy is enabled. Apple’s malware blocking service “XProtect” does not appear to prevent this malware from running at the time of writing. Organizations not protected by SentinelOne can leverage the comprehensive list of indicators to aid in threat hunting and detection.
Current threat situation
Realst sample counts and variations indicate that the threat actor made serious efforts to target macOS users for data and cryptocurrency theft. Several fake game sites with Discord servers and associated Twitter accounts have been created to give the illusion of real products and entice users to try them. Once the victim launches these fake games and provides a password to the “installer,” their data, passwords, and crypto wallets are stolen. Given the current interest in blockchain games that promise users to earn money while playing, users and security teams are urged to exercise extreme caution when prompted to download and run such games.