- A security research company has reported a new malware distributed through fake blockchain games.
- As soon as users launch these games and provide passwords, they are soon hit by a malicious code which wipes out their crypto wallet.
- Because this virus is new and is able to bypass apple’s security system, including yet-to-be-released macOS, security companies are urging users to be extra vigilant.
Security researcher iamdeadlyz has reported on multiple fake blockchain games being used to infect both Windows and macOS with infostealers capable of emptying crypto wallets and stealing personal data such as passwords and emails stored in the browser.
For macOS, the infostealer is a new malware written in Rust, dubbed “Realst”.
Based on this information, security company SentinelOne, reported on its blog post an analysis of these variants of malware, some already targeting macOS 14 Sonoma.
The malware works by attempting to deceive victims through AppleScript spoofing, which involves presenting password request dialogue boxes with hidden answers to capture passwords. Code analysis by SentinelOne found that there is a code from Realst which is a copy of Chainbreaker; an open-source project that extract passwords, keys and certificates from macOS keychain databases.
According to iamdeadlyz, a malware research company, the malware have a different MacOS build, they are new and so there is no public intel at the moment.
How Realst is distributed
Realst is spread through games including Brawl Earth, Evolion, Pearl, Olymp of Reptiles, SaintLegend, Wildworld, Destruction and Dawnland.
According to iamdeadlyz, the threat actors approach potential victims through direct messages on social media requesting for those who would like to test a game. Those who fall for it, are soon hit by malware that wipes out their crypto wallet clean. As soon as the victims launch these fake games and provide the installers with passwords, their personal data and crypto funds are stolen.
They give access/refferal codes because the form on the website asks for it in order to download the file. The access code identifies which hacker lured the victim into dowloading the malicious file.
Inside the code, the malware research company was able to figure out some of the activity behind the scene or behind the codes events such as comments in Russian language, Dropbox links and methods to notify the malicious actors
There are instances where download buttons are displayed on the website immediately.
Some versions of malware are distributed by a .pkg installer containing a malicious Mach-O and three related scripts.
Some versions of realst stealer are distributed as application via .dmg disk images. In Some cases, the developer packaged the malware in Electron apps, yet in others, native macOS application bundles are used.
Realst have the same characteristics as other macOS infostealers, which includes; access and exfiltration of browser data, crypto wallets and keychain databases. With targetted browsers being, Firefox, Chrome, Opera, Brave and Vivaldo. Safari was not targeted in the samples analysted by sentinelOne. However, the malwaware also targets telegram applications.
SentinelONe’s security can detect and prevent all known variants according to Security Analyst from SentinelOne Phil Stokes, there is a need for extra precaution as Apple’s malware blocking service “XProtect” is not able to detect and prevent the execution of malware at the moment.
In addition to anti-malware protection users need to be alert when they encounter blockchain games promising financial rewards, unless they are fully convinced of its legitimacy, they should not download.
