A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system.
Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz.
"Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts."
The cybersecurity firm, which identified 16 variants across 59 samples, said the activity likely has links to another information stealer campaign called Pureland, which came to light earlier this March. Windows machines, on the other hand, are infected with RedLine Stealer.
"Despite the cross-platform capabilities of Rust, we haven't observed Realst variants on other platforms to date," Stokes told The Hacker News via an email statement.
"The Realst malware is clearly developed by devs with a good knowledge of the macOS environment and isn't just a simple port of something written on another platform. It's likely that the development team behind RedLine Stealer is entirely different from that behind Realst as there are few overlaps between developing for Windows and developing for macOS."
The attack chains begin with threat actors approaching potential victims through direct messages on social media, convincing them to test a game as part of a paid collaboration, only to drain their cryptocurrency wallets and steal sensitive information upon execution.
The web browsers targeted for harvesting include Brave, Google Chrome, Mozilla Firefox, Opera, and Vivaldi. Apple Safari is a notable exception. The malware is also capable of gathering information from Telegram and capturing screenshots.
"Most variants attempt to grab the user's password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model," Stokes explained.
"The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft."
News of the Realst stealer follows the discovery of SophosEncrypt, which has been found impersonating cybersecurity firm Sophos and described as a "general-purpose remote access trojan (RAT) with the capacity to encrypt files and generate these ransom notes."
The developments come as data captured via commercial information stealers are being packaged and sold for profit on dark web marketplaces and Telegram channels, with over 200,000 OpenAI credentials leaked via stealer logs in 2022 and 2023, according to multiple reports from Bitdefender and Flare.
Stolen enterprise credentials, in particular, can act as a channel for initial access brokers to breach organizations, which can then be auctioned off to other actors looking to exploit the foothold for follow-on activities such as ransomware deployment.
According to IBM's Cost of a Data Breach Report 2023, which examined data breaches experienced by 553 organizations across 16 countries between March 2022 and March 2023, the global average cost of a data breach in 2023 stands at $4.45 million, a 15.3% increase from $3.86 million in 2020.
The study also found that "data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers," a trend observed in 2022 as well.
