New Realst Info-stealer Targets MacOS, Empties Crypto Wallets

More about Realst info-stealer

• Realst is designed to target macOS systems and is capable of emptying crypto wallets and stealing stored passwords and browser data. 
• SentinelOne researchers identified and analyzed 59 Mach-O samples of Realst malware, some of which are already targeting Apple’s forthcoming OS release, macOS 14 Sonoma. 
• It is distributed via fake blockchain games for Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, and SaintLegend.
• Each fake blockchain game is hosted on a website with associated Twitter and Discord accounts.
• Some versions of the Realst malware are distributed by a PKG installer containing a Mach-O and three related scripts.
• Moreover, the malware uses valid Apple Developer IDs or ad-hoc signatures to bypass detection from security tools.

The variants

• There are 16 distinct variants of Realst that are fairly similar to each other, however, utilize different API call sets.
• They target Firefox, Chrome, Opera, Brave, Vivaldi, and the Telegram app.
• These variants are categorized into four families based on their behaviors, namely A, B, C, and D.
• Family A variants use AppleScript spoofing to grab the user’s admin password in clear text. 
• While Family B is similar to Family A, the former uses a password spoofing tactic wherein it breaks up the strings into smaller units to evade simple static detection. 
• Family C introduces a reference chainbreaker within the Mach-O binary itself to obtain the passwords from the system’s keychain database. 
• In Family D, password scraping is handled by a prompt in the Terminal window via the get_keys_with_access function.

Conclusion