New macOS malware is after your data and your crypto - here's how to stay safe

Lewis Maddison
·2 min read
cryptocurrencies
cryptocurrencies

A new and wide-reaching malware campaign is attacking both Windows and Mac systems, including the still in-development macOS 14 Sonoma, with the intent of stealing web browser data and cryptocurrency wallets.

Dubbed Realst, the malware masquerades as fake blockchain games under various names, such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

The campaign, which is being promoted across social media, appears to be using various workers to lure victims. For those who are tricked and want to download the fake game, one of the workers will direct message the victim to give them a code - ostensibly needed to download it, but is really used to track which worker caught the target.

Realst

For those on Windows devices, infamous malware such as RedLine, Racoon and AsyncRAT is deployed, and for those on Mac it is Realst. This is an infostealer that takes data from the user's web browser and and crypto wallet apps.

Researchers have so far discovered 16 variants of Realst, suggesting that development is very active and moving at speed. The malware is delivered in the form of PKG installers or DMG disk which contain malicious Mach-O files and no game or software files of any kind.

read more

> Apple is rolling out some urgent iPhone and Mac security patches, so update now


>Apple devices targeted by fake macOS PDF viewer that's just malware


>Malware on Macs: How real is the threat, and should we actually care?

Amongst the files installed are 'game.py', which actually steals data from the Firefox browser, and 'installer.py', which steals passwords from Apple's first-party password manager Keychain.

One researcher even found that some samples of the malware were signed using valid Apple Developer IDs to bypass detection from endpoint protection and other security software, although these signatures have now been revoked.

All variants appear to be quite similar, although each has differing API call sets. Interestingly, though, Apple's Safari appears to be one of the few browsers that is not targeted by Realst - Chrome, Firefox, Opera, Brave, and Vivaldi are all within the malware's sights. Even the infamous encrypted messaging service Telegram is a target.

Security firm SentinelOne has categorized the variants into 4 groups, with family A being the most popular and which uses AppleScript spoofing to trick victims into typing their system password into a dialog box.

It also found that 30% of the samples it analyzed from families A, B and D had elements that targeted macOS Sonoma, which is yet to get a full release.

"Collected data is dropped in a folder simply named "data" [which] may appear in one of several locations depending on the version of the malware: in the user's home folder, in the working directory of the malware, or in a folder named after the parent game," said its report.