Based on recent reports, it was discovered that there has been info stealer malware that affects both Windows and macOS platforms. The malware can steal crypto wallets, passwords, and browser data.
This new variant of malware is found to be written in Rust programming language, which was named “realst.”
The analysis stated that this malware is capable of targeting Apple’s upcoming macOS version “Sonoma.”
The initial distribution of this malware involves fake advertising of blockchain games like Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, etc.
Every blockchain game version was hosted on its own website along with the Twitter and Discord accounts.
Malicious Installers of Realst
The .pkg installer in some of the distributed malware consisted of a malicious Mach-O and related scripts, including game.py, installer.py, and uninstall. sh. The game.py is a cross-platform Firefox infostealer.
The installer.py is a copy of the chain breaker project that is capable of extracting passwords, keys, and certificates from the macOS keychain database. The uninstall. sh did not have any malicious behavior.
Static Analysis & Dynamic Analysis
These malware are similar to the other cross-variant malware and are easily detectable. In some cases, this malware uses different API calls and some dependencies.
However, all of these malware have the same goal of exfiltrating the browser data, crypto wallets, and keychain databases.
Static analysis showed that some variants make an attempt to grab the user’s password through osascript and AppleScript Spoofing.
Researchers have analyzed over 16 variants of this malware across 59 samples and have divided them into four families as A, B, C and D.
Variant Family A – Uses AppleScript Spoofing to steal user’s admin password in clear text.
Variant Family B – These samples break up the strings to evade static detection.
Variant Family C – Attempts to hide strings for AppleScript spoofing and have references to chain breaker
Variant Family D – No static artifacts for osascript spoofing, and password scraping is handled by the Terminal window via the get_keys_with_access function, which is passed immediately to sym.realst::utils::get_kc_keys for attempting to dump passwords from keychains.
SentinelOne has published a complete report including IOCs about these malware variants and their methods.
Users are recommended to be vigilant towards these blockchain games and verify each game’s legitimacy before downloading them.