The Realst Infostealer is distributed via fake blockchain games and also targets macOS operating systems.
In early July, security researcher iamdeadlyz reported on several fake blockchain games being used to infect both Windows and macOS targets with infostealers that can empty crypto wallets and steal saved password and browser data. In the case of macOS, the infostealer turned out to be a new malware written in Rust called “realst”. Building on an earlier analysis, SentinelLabs, the research division of SentinelOne, identified and analyzed 59 malicious Mach-O samples of the new malware. It became clear that some samples were already aimed at Apple's upcoming operating system version macOS 14 Sonoma.
Distribution of malware
Realst Infostealer is distributed through malicious websites that promote fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The campaign appears to have ties to former infostealer PearlLand. Each version of the fake blockchain game is hosted on its own website, including associated Twitter and Discord accounts. As iamdeadlyz reports, threat actors have been observed targeting potential victims via direct messages on social media.
Detailed analysis of the Realst variants
In terms of behavior, the Realst samples look pretty similar across all variants and can be identified in a similar way to other macOS info stealers. Although they sometimes use different API calls and have some variant dependencies, from a telemetry perspective, the key to all of these infostealers is access and exfiltration of browser data, crypto wallets and keychain databases. The browsers attacked include Firefox, Chrome, Opera, Brave and Vivaldi. Safari was not a target in any of the examples analyzed. It was also found that the malware also targets the Telegram application.
SentinelLabs' analysis identified 16 variants in 59 samples, grouped into four main families: A, B, C and D. There are a number of overlaps that would allow the dividing lines to be drawn differently. The security researchers chose the following taxonomy based on string artifacts to help threat hunters better identify and detect:
Realst variant family A
Of the 59 Mach-O samples that were analyzed, 26 fall into variant A. This variant has a number of subvariants, but they all share a common feature not found in variants B, C, and D: The inclusion of entire strings associated with AppleScript spoofing. The Family A variants use AppleScript spoofing in a manner similar to that seen in previous macOS thefts.
Realst variant family B
The Family B variants also exhibit static artifacts related to password spoofing, but these samples are notable for breaking the strings into smaller units to bypass simple static detection. 10 of the 59 samples were found to fall into this category.
Realst variant family C
Family C also attempts to hide the strings for AppleScript spoofing by breaking the strings in the same way as variant B. However, variant C differs in that it introduces a reference to chainbreaker in the Mach-O binary itself . 7 of the 59 samples fell into this category.
Realest variant family D
In family D, which accounts for 16 of the samples, there are no static artifacts for osascript spoofing. Passwords are read out using a command prompt in the terminal window using the “get_keys_with_access” function. Once the password is captured, it is immediately passed to sym.realst::utils::get_kc_keys, which then attempts to read passwords from the keychain.
Effective protective measures for companies
All known variants of Realst macOS Infostealer are detected by the SentinelOne agent and, if the site policy “Prevent” is activated, are prevented from running. Apple's malware blocking service "XProtect" does not appear to be preventing this malware from running at the time of writing. Organizations not protected by SentinelOne can use the comprehensive list of indicators to support threat hunting and detection.
Current threat situation
The Realst sample count and variations show that the threat actor has made serious efforts to target macOS users for data and cryptocurrency theft. Several fake gaming sites with Discord servers and associated Twitter accounts have been created to create the illusion of real products and entice users to try them out. Once the victim launches these fake games and provides a password to the “installer”, their data, passwords and crypto wallets are stolen. Given the current interest in blockchain games that promise users to earn money while playing, users and security teams are urged to treat requests to download and run such games with extreme caution.
More at SentinelOne.com
About SentinelOne
SentinelOne provides autonomous endpoint protection through a single agent that successfully prevents, detects, and responds to attacks across all major vectors. Designed to be extremely easy to use, the Singularity platform saves customers time by using AI to automatically remediate threats in real-time for both on-premises and cloud environments.
Matching articles on the topic