Saturday, July 13, 2024
EHA

Rust Infostealer Malware Attacks macOS Sonoma Ahead of Public Release

Based on recent reports, it was discovered that there has been info stealer malware that affects both Windows and macOS platforms. The malware can steal crypto wallets, passwords, and browser data.

This new variant of malware is found to be written in Rust programming language, which was named “realst.”

The analysis stated that this malware is capable of targeting Apple’s upcoming macOS versionSonoma.”

Realst Distribution

The initial distribution of this malware involves fake advertising of blockchain games like Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, etc.

Every blockchain game version was hosted on its own website along with the Twitter and Discord accounts.

Blockchain game and its Twitter account (Source: SentinelOne)

Malicious Installers of Realst

The .pkg installer in some of the distributed malware consisted of a malicious Mach-O and related scripts, including game.py, installer.py, and uninstall. sh. The game.py is a cross-platform Firefox infostealer.

The installer.py is a copy of the chain breaker project that is capable of extracting passwords, keys, and certificates from the macOS keychain database. The uninstall. sh did not have any malicious behavior.

Contents of Evolion.pkg installer (Source: SentinelOne)

Static Analysis & Dynamic Analysis

These malware are similar to the other cross-variant malware and are easily detectable. In some cases, this malware uses different API calls and some dependencies.

However, all of these malware have the same goal of exfiltrating the browser data, crypto wallets, and keychain databases.

Static analysis showed that some variants make an attempt to grab the user’s password through osascript and AppleScript Spoofing.

Researchers have analyzed over 16 variants of this malware across 59 samples and have divided them into four families as A, B, C and D.

Variant Family A – Uses AppleScript Spoofing to steal user’s admin password in clear text.

Variant Family B – These samples break up the strings to evade static detection.

Variant Family C – Attempts to hide strings for AppleScript spoofing and have references to chain breaker

Variant Family D – No static artifacts for osascript spoofing, and password scraping is handled by the Terminal window via the get_keys_with_access function, which is passed immediately to sym.realst::utils::get_kc_keys for attempting to dump passwords from keychains.

SentinelOne has published a complete report including IOCs about these malware variants and their methods.

Users are recommended to be vigilant towards these blockchain games and verify each game’s legitimacy before downloading them.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles