Realst Mac Malware

A new Mac malware named Realst has emerged as part of a massive attack campaign specifically targeting Apple computers. What's even more concerning is that some of its latest versions have been adapted to exploit macOS 14 Sonoma, an operating system still in the developmental stage.

The distribution of this malware is not limited to macOS users, as it also targets Windows devices. The attackers are cunningly disguising the malware as fake blockchain games, giving them names like Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles and SaintLegend.

To lure victims into downloading the threatening software, these fake games are heavily promoted on social media. The threat actors employ direct messages to share access codes required for downloading the fake game client from associated websites. By using these access codes, the attackers can carefully select their targets and avoid detection by security researchers attempting to uncover their unsafe activities.

The supposed game installers infect victims' devices with information-collecting malware. The threats specialize in collecting sensitive data from the victim's Web browsers and cryptocurrency wallet applications, sending the collected information directly to the threat actors.

The researchers primarily focused on the macOS versions of the Realst malware and discovered at least 16 variants with notable differences between them, indicating an ongoing and fast-paced development process.

Attack Chain of the Realst macOS Stealer Threat

When users download the fake game from the threat actor's website, they will encounter different malware based on their operating system – either Windows or macOS. For Windows users, the common malware being distributed is RedLine Stealer. However, at times, other malware variants like Raccoon Stealer and AsyncRAT also might be involved.

On the other hand, Mac users will be infected with the Realst info-stealing malware, which is disguised as PKG installers or DMG disk files. These files claim to contain game content but, in reality, only house unsafe Mach-O files with no actual games or legitimate software.

Among the malicious components, the 'game.py' file serves as a cross-platform Firefox infostealer. At the same time, the 'installer.py' is labeled as 'chainbreaker,' designed to extract passwords, keys, and certificates from the macOS keychain database.

To evade detection by security tools, some samples were codesigned using previously valid (but now revoked) Apple Developer IDs or ad-hoc signatures. This tactic allows the malware to slip past security measures and remain hidden.

Numerous Realst Malware Versions Uncovered in Attacks

So far, 16 distinct variants of Realst have been identified. Although sharing significant similarities in structure and function, the variants employ different API call sets. Regardless, the malware specifically targets browsers like Firefox, Chrome, Opera, Brave, Vivaldi, and the Telegram app. It appears that none of the analyzed Realst samples seem to target Safari.

Most of these variants attempt to obtain the user's password by using osascript and AppleScript spoofing techniques. Additionally, they perform basic checks to ensure that the host device is not a virtual machine, employing the sysctl -n hw.model. The collected data is then stored in a folder named 'data,' which can be found in various locations depending on the malware version: either in the user's home folder, the malware's working directory, or a folder named after the parent game.

Researchers have categorized these 16 distinct variants into four main families: A, B, C, and D, based on their distinguishing traits. Approximately 30% of the samples from families A, B, and D contain strings that target the upcoming macOS 14 Sonoma. This indicates that the malware authors are already preparing for Apple's forthcoming desktop OS release, ensuring Realst's compatibility and optimal functioning.

Given this threat, macOS users are advised to exercise caution with blockchain games, as the distributors of Realst exploit Discord channels and 'verified' Twitter accounts to create a deceptive illusion of legitimacy. Being vigilant and verifying the sources of game downloads can help protect against such threatening software.