New macOS malware is after your data and your crypto - here's how to stay safe

cryptocurrencies
(Image credit: Shutterstock / Wit Olszewski)

A new and wide-reaching malware campaign is attacking both Windows and Mac systems, including the still in-development macOS 14 Sonoma, with the intent of stealing web browser data and cryptocurrency wallets.

Dubbed Realst, the malware masquerades as fake blockchain games under various names, such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. 

The campaign, which is being promoted across social media, appears to be using various workers to lure victims. For those who are tricked and want to download the fake game, one of the workers will direct message the victim to give them a code - ostensibly needed to download it, but is really used to track which worker caught the target.

Realst

For those on Windows devices, infamous malware such as RedLine, Racoon and AsyncRAT is deployed, and for those on Mac it is Realst. This is an infostealer that takes data from the user's web browser and and crypto wallet apps. 

Researchers have so far discovered 16 variants of Realst, suggesting that development is very active and moving at speed. The malware is delivered in the form of PKG installers or DMG disk which contain malicious Mach-O files and no game or software files of any kind.

Amongst the files installed are 'game.py', which actually steals data from the Firefox browser, and 'installer.py', which steals passwords from Apple's first-party password manager Keychain. 

One researcher even found that some samples of the malware were signed using valid Apple Developer IDs to bypass detection from endpoint protection and other security software, although these signatures have now been revoked. 

All variants appear to be quite similar, although each has differing API call sets. Interestingly, though, Apple's Safari appears to be one of the few browsers that is not targeted by Realst - Chrome, Firefox, Opera, Brave, and Vivaldi are all within the malware's sights. Even the infamous encrypted messaging service Telegram is a target.

Security firm SentinelOne has categorized the variants into 4 groups, with family A being the most popular and which uses AppleScript spoofing to trick victims into typing their system password into a dialog box.  

It also found that 30% of the samples it analyzed from families A, B and D had elements that targeted macOS Sonoma, which is yet to get a full release. 

"Collected data is dropped in a folder simply named "data" [which] may appear in one of several locations depending on the version of the malware: in the user's home folder, in the working directory of the malware, or in a folder named after the parent game," said its report.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 


His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.


He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.