Security researchers have identified a new infostealer malware named “Realst”, which is currently being used by cybercriminals to target Apple macOS users, including those on the upcoming macOS 14 Sonoma.
However, Web3 security firm SlowMist warned through a blog post that the malware is being propagated through fake blockchain games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. Each game has its own website, Twitter, and Discord accounts, creating a false sense of legitimacy that has unfortunately led to some users becoming victims.
The malware is written in Rust, an emerging programming language. Some variants of the malware are already targeting macOS 14 Sonoma, which is set to be released in the fall. The malware’s code mentions Sonoma multiple times, indicating the intent of the author to remain active until the public release of Apple’s latest macOS version.
The modus operandi of Realst
Realst operates silently in the background of compromised macOS devices, scraping web browser data, including stored passwords, and sending it back to the threat actors. It targets popular web browsers such as Firefox, Chrome, Opera, Brave, and Vivaldi, but does not target Safari. One of the most alarming consequences of infection is that Realst can quickly empty cryptocurrency wallets within minutes.
The malware is distributed via malicious websites promoting fake blockchain games, according to web3 security firm SlowMist. The malware attempts to deceive victims through AppleScript spoofing — presenting password request dialog boxes with hidden answers to capture passwords. Sometimes, it also uses Chainbreaker, an open-source project to extract passwords, keys, and certificates from macOS keychain databases.
Protecting against Realst and other malware
To protect against Realst and other malware, users are advised to only install apps from the official Mac App Store, verify links before opening them, use strong passwords and enable two-step authentication, exercise caution when granting permissions on their Mac, and keep their devices and applications up-to-date.
SentinelOne’s security solution can detect and prevent all known variants of Realst. However, users and security teams are urged to remain vigilant as Apple’s malware blocking service ‘XProtect’ does not appear to currently prevent execution of this malware.
Given the rising popularity of blockchain games promising financial rewards, users are advised to exercise extreme caution when encountering solicitations to download and run such games.