New macOS malware is after your data and your crypto - here's how to stay safe

(Image credit: Shutterstock / Wit Olszewski)

A new and wide-reaching malware campaign is attacking both Windows and Mac systems, including the still in-development macOS 14 Sonoma, with the intent of stealing web browser data and cryptocurrency wallets.

Dubbed Realst, the malware masquerades as fake blockchain games under various names, such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

The campaign, which is being promoted across social media, appears to be using various workers to lure victims. For those who are tricked and want to download the fake game, one of the workers will direct message the victim to give them a code - ostensibly needed to download it, but is really used to track which worker caught the target.

Realst

For those on Windows devices, infamous malware such as RedLine, Racoon and AsyncRAT is deployed, and for those on Mac it is Realst. This is an infostealer that takes data from the user's web browser and and crypto wallet apps.

Researchers have so far discovered 16 variants of Realst, suggesting that development is very active and moving at speed. The malware is delivered in the form of PKG installers or DMG disk which contain malicious Mach-O files and no game or software files of any kind.

> Apple is rolling out some urgent iPhone and Mac security patches, so update now

>Apple devices targeted by fake macOS PDF viewer that's just malware

>Malware on Macs: How real is the threat, and should we actually care?

Amongst the files installed are 'game.py', which actually steals data from the Firefox browser, and 'installer.py', which steals passwords from Apple's first-party password manager Keychain.

One researcher even found that some samples of the malware were signed using valid Apple Developer IDs to bypass detection from endpoint protection and other security software, although these signatures have now been revoked.

All variants appear to be quite similar, although each has differing API call sets. Interestingly, though, Apple's Safari appears to be one of the few browsers that is not targeted by Realst - Chrome, Firefox, Opera, Brave, and Vivaldi are all within the malware's sights. Even the infamous encrypted messaging service Telegram is a target.

Security firm SentinelOne has categorized the variants into 4 groups, with family A being the most popular and which uses AppleScript spoofing to trick victims into typing their system password into a dialog box.

It also found that 30% of the samples it analyzed from families A, B and D had elements that targeted macOS Sonoma, which is yet to get a full release.

"Collected data is dropped in a folder simply named "data" [which] may appear in one of several locations depending on the version of the malware: in the user's home folder, in the working directory of the malware, or in a folder named after the parent game," said its report.

Here is the best antivirus software for Mac around today

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, including speakers and headphones, having spent over a decade exploring the murky depths of audio production and PC building. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.