Thursday, February 22, 2024

Rust Infostealer Malware Attacks macOS Sonoma Ahead of Public Release

Based on recent reports, it was discovered that there has been info stealer malware that affects both Windows and macOS platforms. The malware can steal crypto wallets, passwords, and browser data.

This new variant of malware is found to be written in Rust programming language, which was named “realst.”

The analysis stated that this malware is capable of targeting Apple’s upcoming macOS versionSonoma.”

Realst Distribution

The initial distribution of this malware involves fake advertising of blockchain games like Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, etc.

Every blockchain game version was hosted on its own website along with the Twitter and Discord accounts.

Blockchain game and its Twitter account (Source: SentinelOne)

Malicious Installers of Realst

The .pkg installer in some of the distributed malware consisted of a malicious Mach-O and related scripts, including,, and uninstall. sh. The is a cross-platform Firefox infostealer.

The is a copy of the chain breaker project that is capable of extracting passwords, keys, and certificates from the macOS keychain database. The uninstall. sh did not have any malicious behavior.

Contents of Evolion.pkg installer (Source: SentinelOne)

Static Analysis & Dynamic Analysis

These malware are similar to the other cross-variant malware and are easily detectable. In some cases, this malware uses different API calls and some dependencies.

However, all of these malware have the same goal of exfiltrating the browser data, crypto wallets, and keychain databases.

Static analysis showed that some variants make an attempt to grab the user’s password through osascript and AppleScript Spoofing.

Researchers have analyzed over 16 variants of this malware across 59 samples and have divided them into four families as A, B, C and D.

Variant Family A – Uses AppleScript Spoofing to steal user’s admin password in clear text.

Variant Family B – These samples break up the strings to evade static detection.

Variant Family C – Attempts to hide strings for AppleScript spoofing and have references to chain breaker

Variant Family D – No static artifacts for osascript spoofing, and password scraping is handled by the Terminal window via the get_keys_with_access function, which is passed immediately to sym.realst::utils::get_kc_keys for attempting to dump passwords from keychains.

SentinelOne has published a complete report including IOCs about these malware variants and their methods.

Users are recommended to be vigilant towards these blockchain games and verify each game’s legitimacy before downloading them.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.


Latest articles

Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens

An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as...

US to Pay $15M for Info About Lockbit Ransomware Operator Data

In a significant move against cybercrime, the U.S. government has announced a bounty of...

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles