Realst Mac malware targets macOS Sonoma, how to stay safe -

July 26, 2023
386 views

Coming on the heels of ShadowVault, a new infostealer malware dubbed “Realst” is being implemented into fake blockchain games by cybercriminals in a massive campaign targeting Windows and macOS users, including those on macOS 14 Sonoma.

First discovered by security researcher iamdeadlyz earlier this month, the infostealer malware is being spread among Windows and macOS users via fake blockchain games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

An analysis by SentinelOne found that not only was the new malware written in Rust, a highly praised up-and-coming programming language, but some variants are already targeting macOS 14 Sonoma ahead of its public release in the fall.

One of the fake blockchain games with Realst malware. Source: iamdeadlyz.gitbook.io

“About a third of the samples we identified contain strings targeting macOS 14 Sonoma,” according to SentinelOne. “It is not clear at this point how differences between Sonoma and Ventura would affect execution of the malware – a question it seems the malware authors are themselves seeking to determine.”

The repeated mention of Sonoma in the malware’s code shows the author’s intent to stick around until the public release of Apple’s latest version of macOS.

Furthermore, iamdeadlyz pointed out the games are being advertised among malicious websites and on social media (i.e., Twitter). Each of them is accompanied by its own Discord and Twitter accounts to further create a sense of legitimacy that, unfortunately, some individuals have fallen victim to.

What can Realst compromise?

Realst silently works in the background of compromised macOS devices, capable of scraping all sorts of web browser data, including stored passwords, to send back to the threat actors.

The targeted web browsers include Firefox, Chrome, Opera, Brave and Vivaldi. “Safari was not targeted in any of the samples we analyzed,” stated SentinelOne. Is this a reflection of Apple’s security posture around its web browser? I’ll leave that up to you.

Most notably, the malware can also completely empty cryptocurrency wallets within minutes. This is the most immediate effect after becoming infected.

Tweets from realst victim. Source: iamdeadlyz.gitbook.io

How to protect yourself against Realst and other malware

Apple pre-installs many valuable background services on every Mac to protect you from what lurks on the Internet, but often these aren’t enough.

While you may already know many of these tips, I think it’s important to regurgitate them again for the masses.

Do your due diligence before installing anything outside the official Mac App Store

Hover over and confirm links before opening them

Use strong, complex passwords and 2-step authentication (non-SMS if possible, OTP is best)

Exercise caution when granting permissions on your Mac

Keep your devices and applications up-to-date

How to check your Mac for malware

If you’re interested in performing a thorough checkup on your Mac, check out our guide here:

Source: 9to5Mac