Cybersecurity researchers have identified a new infostealer malware called Realst targeting cryptocurrency wallets on Apple macOS systems. The malware is deployed via fictitious blockchain games the threat actor convinces its victims to download under the guise of a paid game-testing relationship. To increase legitimacy, each trojanized game is hosted on its own website along with dedicated Twitter and Discord accounts.
Once installed on the victim’s machine, Realst is capable of taking screenshots and extracting cryptocurrency wallets from popular web browsers and services such as Google Chrome, Mozilla Firefox, Opera, Vivaldi, and Telegram. Despite the malware being configured for macOS systems, it does not target Apple’s Safari browser which is installed by default on macOS devices.
Researchers believe that Realst is linked to the Pureland infostealer which was identified in March 2023, and likely developed by the same threat actor behind RedLine Stealer which targets Windows systems via trojanized blockchain games.
Source: The Hacker News
Analysis
It’s possible that the trojanized blockchain games were chosen as the attack vector for this campaign because the threat actor assumed players of blockchain games are more likely to have cryptocurrency wallets on their devices, since cryptocurrency relies on blockchain technology. Regardless, it’s clear that the threat actor has devoted considerable effort to this campaign to ensure its success. The creation and maintenance of websites and social media channels for each trojanized game reflects the actions of a highly motivated actor with considerable resources and patience.
Mitigation
Covalence users are automatically notified when malware like Realst is detected in their environment as well as potentially unwanted applications like file-sharing applications which are frequent entry points for malware like this. Covalence users are encouraged to review these AROs as quickly as possible.
Additionally, Field Effect encourages users to only download and install programs from trusted sources rather than URLs sent via unsolicited texts or social media messages.
References
