Key Takeaways
What is Realst?
Realst is written in Rust. It targets Mac OS X 10.12 and later works on MacOS 14 Sonoma, the upcoming MacOS release that is currently in beta. It is capable of stealing data from multiple browsers and cryptocurrency wallets. Affected browsers include Chrome, Brave, Opera, OperaGX, Firefox, and Vivaldi. Affected crypto wallets and extensions include Metamask, Binance Wallet, Trust Wallet, Martian Wallet, Pontem Aptos Wallet, Petra Aptos Wallet, TronLink, Nami, Temple, and Phantom. Realst also targets Telegram and Keychain data.
According to iamdeadlyz, victims are lured into downloading the games via social media or Discord advertisements, or direct messages promoting the games. To add to the sense of legitimacy, in some cases, the lure accounts give the victim access or a referral code that is needed to download the files.
In one of the versions iamdeadlyz analyzed, when the victim launches the .pkg file, an installer window is displayed. After installation, a postinstall script launches a Mach-O executable, and a terminal window is displayed asking the victim to enter their password to install the “game”. In the background, tools are installed to steal user data, which is compressed into a ZIP archive and sent to the C2. Iamdeadlyz discovered at least five different execution chains, which varied based on the game being used to install Realst.
Sentinel One built on iamdeadlyz’s research, analyzing 59 different Realst samples. Out of those samples, they noted at least 16 Realst variants. Approximately one third of Realst samples included strings targeting MacOS 14 Sonoma.
IOCs
PolySwarm has multiple samples of Realst.
73fd60f1f2d027f4f5a01c3914c7a5701ade6d91e5b14610303dd7f7395b7fb8
90a1d3f0bd80579dd294326ff4003c6e4e9ddce30ef2d2937dbe203379ac4902
599f7e21662b2024d70447dba643eabd8f0e4088f06991ef5b6d9668c7c11a6e
bdba1cf7fb72b7f90ddf0224a051f13af81514a7d93f68d1750146623d451708
944da64d28ee16dfcdd944f541aaf04e852e011e770b5c2b3aa84b4004866159
4006593059b92aca302dd0d71751345e139b6c7590cf5712cb8d6b54f1d5c823
e13b786e31ecac1c53069a629c2e1905eebfef9044608f8cae9abdc9b6c4c523
8f362e4859155d999e4a0972caa4af5212276e88a0569a5e93e71438aad2e545
9efa01da110380b8cc710c7000f0fd7c32a3ca07006f00f97b202dc435fea77b
5cfc5d35071521d572d2fa0e82875b4a5a4647fa20dd054242d5ad88b89f75c5
c729f5715ca5a6039562d9cc52b65cc7ce16ef1ed1451cfc812c7654fa8e3c48
4b93ec3fd49c0111e8a11ac8a0a197f5366cda19732932ce4cb84e024c648a38
2c321b1416fb7226bffd1633a2a053ef3921fef9a1de5c49b71ef9c7b0914b00
2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2
7e3d69ec2da5a65466e4ef4a0f4b715d31fee0000ef4318eab8914e9bf030024
64fec4bcd85b3e2129c0e1f3a0201f6effb5667f52067caeba21cade08cd7b94
fc438c6e231c80c0d5de5b5a194fdba87f88e334414b248047c5e412ed613a6a
b08740de7bd8d6805ca2c3c8be1db69fbb7aa9bd6aad1c0582881e4196574aa9
e581b456d13a52ac58f91f47916950b6e7442c54d7dfb15b76fff844e00e0382
ccbb7510e84df49e1e6bd523ec739ddec71b67e84269d065b0d0ea3942f30471
f5644d70a9885e17dcde888c0270d1b78a0358bb766fccb331742c00c34dda9b
0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0
e39cca965dbf7957d04f848572aacfbb736e6aff71e319a788c3f61e52abe795
2c0cc8b60e502e9a2a82a1a6acdfa340ff43608dd6fdad32db9ce99b383513e3
fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2
03044ce1dea80b43b94497cc7bad22eb3e9c4c7bd4b4d13f74432152fed19411
78b2fa0df9fba56ba6a773faa0d280977a1a830fce4f2427935f87de11cb9012
28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6
e8b7e12a44d7c605762e8a3220d26c53ee6c179f02f607c899d4e08a8132f6c5
e0eeb9b87c7ca8b812e9e9a3b6711e0200c80883780b59a3c258c8a3c0d73a29
ff7b879e7fb4f58c954e46125f0c58f2e413a8a729c5e9e3353152cc8e2509f8
149784b07294ec991db4ed913ff726a602d6e071899ddb051a05498a3790bd63
a0b8789ef3249b5fa8eb3590cd6f183e24273b5886560233025fc9d8de52ce0b
8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af
1a5db06dca0667a72d24e092c81f1a3a6d8b535696813012cdc636fc652de743
0c0402c76d738c4786a94e9b99d94a99288d8c0a8ce5b4c9dffa80d9e14605dd
617ee1c508015a1a42a8aa4ae42b153ad6ca4118fec7d4b7d6a9242e7006c105
0a4f053791180ed2b3f95774dd11e0b87a72ad8681e28ea70df790d5fb955525
7a4ad05505828bc3be80f1fbf69ad4dde72f9a10bcedeb213e568d564e51ad4d
40c3052d5fb6f0e7856dd0b1102925746b876cc8e6f2beaff250c7c6e9d2fb0b
29e53aedc94da406bb495caaba282fabd7bc7d73d9cd0b969d8509dfda92dd3a
00dc363063917641ae11eab414a6e2ae8f2e6d671e163339f7b71577f702d068
9b7bf24cd1b0ae4cc88dab9be6789900454d0a8435124f599bc914998b4ea164
41423f4119cdf51b79984141ccbbc774e257fb99670a9b73953b40e1a209d632
34a16ec7e28ad7fe314a6bc0bb4b5a44f025cf3712a7737c13898e6003dcf9f0
016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74
You can use the following CLI command to search for all Realst samples in our portal:
$ polyswarm link list -f Realst
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports