Earlier this month, security researcher iamdeadlyz reported on multiple fake blockchain games being used to infect both Windows and macOS targets with infostealers, capable of emptying crypto wallets and stealing stored password and browser data.
In the case of macOS, the infostealer turned out to be a new malware written in Rust, dubbed “realst”. Building on this previous analysis, we identified and analyzed 59 malicious Mach-O samples of realst malware. Among those, we discovered some samples are already targeting Apple’s forthcoming OS release, macOS 14 Sonoma.
In this post, we describe the malware in detail to help threat hunters and security teams identify and detect compromises by Realst Infostealer.
Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The campaign appears to have links to the earlier PearlLand infostealer. Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts.
As reported by iamdeadlyz, threat actors have been observed approaching potential victims through direct messages on social media.
Individuals who fell for the lures soon found that they had become victims of theft.
Realst Malicious Installers
Some versions of the malware are distributed by a
.pkg installer containing a malicious Mach-O and three related scripts.
The Python script
game.py is a cross-platform Firefox infostealer. No actual game is contained here or elsewhere.
installer.py script is in fact a copy of chainbreaker, an open-source project for extracting passwords, keys and certificates from a macOS keychain database. Given the user’s password scraped earlier in the execution chain, chainbreaker will retrieve clear text versions of the user’s internet account and other stored passwords.
uninstall.sh script is simply a barebones uninstall script with no malicious behavior.
Other versions of realst stealer are distributed as applications via
.dmg disk images. In some cases the developer has packaged the malware in Electron apps; in others, native macOS application bundles are used. The previous research provides an in-depth description of these.
Some samples were codesigned with Apple Developer ID (Team Identifier: C46287MB25), which has since been revoked.
Other samples are ad-hoc codesigned and will continue to launch, as such signatures cannot be revoked remotely.
Dynamic Analysis of Realst Variants
Behaviorally, realst samples look fairly similar across variants and are readily detectable in much the same way as other macOS infostealers. Although they at times use different API calls and have some variant dependencies, from a telemetry point of view the key to all these infostealers is the access and exfiltration of browser data, crypto wallets, and keychain databases.
Targeted browsers include Firefox, Chrome, Opera, Brave and Vivaldi. Safari was not targeted in any of the samples we analyzed. We also note that the malware targets the Telegram application.
The samples we analyzed reach out to one of two hardcoded URLs to exfiltrate stolen data:
Most variants (see below for further details) attempt to grab the user’s password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via
sysctl -n hw.model. We explore these differences in detail in the static analysis section below.
Collected data is dropped in a folder simply named “data”. This may appear in one of several locations depending on the version of the malware: in the user’s home folder, in the working directory of the malware , or in a folder named after the parent game, e.g.,
~/data/ ~/data.zip ~/Downloads/brawl/data/ ~/Downloads/brawl/data.zip
If the malware was able to access screen capture permission, a screenshot of the Desktop is also taken and deposited in the same location.
Static Analyses of Realst Variants
Our analysis identified 16 variants across 59 samples, which we divide into four major families: A, B, C and D. The division is somewhat arbitrary: There are a number of overlaps that would allow us to draw the lines differently (for example, the use or lack of pycryptodome, or the targeting of macOS Sonoma). We chose the following taxonomy based on string artifacts that should aid threat hunters in better identification and detection.
Realst Variant Family A
Of the 59 Mach-O samples we analyzed, 26 fall into Variant A. This variant has a number of sub variants (we noted ten), but they all share one defining characteristic which isn’t found in Variants B, C and D: The inclusion of whole strings related to AppleScript spoofing.
Example SHA1: 144665cb2e5d65c88579aa4391cebbc116842536 0x752f16:: osascript 0x752f21: display dialog 0x752fb7: with hidden answer 0x7511dc: keychain-db 0x751238: dump-generic-passwords 0x1c75e13: FireFoxDecryptor 0x19444a1: hw.model
Family A variants use AppleScript spoofing in much the same way that we have seen earlier macOS stealers use to grab the user’s admin password in clear text. This technique involves popping a password request dialog box with the “hidden answer” option. This prevents the user seeing the characters they type by replacing them with bullet points, similar to a real password dialog. The important difference being, however, that in this case the password is only obscured from the user themselves. The password is captured and logged in clear text by the AppleScript dialog box.
Like other variants, A samples also include full strings related to anti-analysis through VM detection in the form of hw.model. This is used as an argument to the
sysctl command to determine the model of the host device. When run on a Virtual Machine, a macOS instance will typically return the name of the VM software as opposed to the model of Mac.
Realst Variant Family B
Family B variants also have static artifacts related to password spoofing, but these samples are distinctive as they break up the strings into smaller units as a means to evade simple static detection. We found 10/59 samples fell into this category.
Otherwise, B variants have similar artifacts to Variant A samples.
Example SHA1: 2d89ffbadddd62483bc2be33e296ce4e6036c45b 0x6940a0: display dialog 0x6b08f3: keychain-db 0x6b094f: dump-generic-passwords 0x6b52cb: hw.model 0x9b8b69: FireFoxDecryptor
Realst Variant Family C
Family C also attempts to hide the strings for AppleScript spoofing by breaking up the strings in the same way as Variant B. However, Variant C is distinctive in that it introduces a reference to chainbreaker within the Mach-O binary itself. 7/59 samples fell into this category.
SHA1: 112b5637c8cbb7d2e216d89f969515809e1dc66d 0x3fbc10: keychain-db 0x3fbc3c: chainbreaker 0x3fbc51: dump-generic-passwords 0x628e4f: FireFoxDecryptor 0x402552: hw.model
Realst Variant Family D
In Family D, which accounted for 16/59 samples, there are no static artifacts for
osascript spoofing. Password scraping is handled by a prompt in the Terminal window via the
get_keys_with_access function. Once the password is acquired it is immediately passed to
sym.realst::utils::get_kc_keys, which then attempts to dump passwords from the Keychain.
In some versions, the malware also uses the scraped password to elevate privileges with the
sudo command and install the Python pycryptodome package.
The use of
pycryptodome is itself inconsistent across samples and families, appearing in around half of the entire collection.
SHA1: d436de35164a045e3c0f7b51cf41fcefedf7e77d 0x3fbc10: keychain-db 0x3fbc47: dump-generic-passwords 0x402542: hw.model 0x628de2: FireFoxDecryptor
Realst Infostealer Prepares for macOS 14 Sonoma
About a third of the samples we identified contain strings targeting macOS 14 Sonoma. These string artifacts appear in around half of Variant A samples, and all of Variant B samples. None of Variants C or D were found to contain Sonoma strings.
It is not clear at this point how differences between Sonoma and Ventura would affect execution of the malware – a question it seems the malware authors are themselves seeking to determine.
SentinelOne Protects Against Realst Infostealer
All known variants of Realst macOS infostealer are detected and, where the ‘Prevent’ site policy is enabled, prevented from execution by the SentinelOne agent. Apple’s malware blocking service “XProtect” does not appear to prevent execution of this malware at the time of writing.
Organizations not protected by SentinelOne may use the comprehensive indicators provided in this post to aid threat hunting and detection.
The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft. Multiple fake game sites complete with Discord servers and associated Twitter accounts have been created to present the illusion of genuine products and convince users to try them out. As soon as the victim launches these fake games and provides the “installer” with a password, their data, passwords and crypto wallets are stolen.
Given the current popular interest in blockchain games, which promise users the reward of making money while gaming, users and security teams are urged to treat solicitations to download and run such games with extreme caution.
Indicators of Compromise
Observed MITRE TTPs
T1033 System Owner/User Discovery (whoami)
T1059 Command and Scripting Interpreter (osascript)
T1070.004 File Deletion (rmdir)
T1082 System Information Discovery (sw_vers)
T1083 File and Directory Discovery (dirname, basename)
T1553 Bypass or Subvert Trust Controls (xattr)
T1620 Reflective Code Loading (execv, fork)
T1562 Disable or Modify Tools (sleep, waitpid)
T1639.001 Exfiltration Over Unencrypted Non-C2 Protocol (tcp, http)
Mach-O Files SHA1
Family Variant A1
Family Variant B1
Family Variant C1
Family Variant D1