Insights, news, education and announcements from PolySwarm

Realst MacOS Infostealer

Written by The Hivemind | Aug 7, 2023 6:41:09 PM

Executive Summary

Realst is a Rust-based infostealer targeting MacOS devices. Some Realst variants are capable of targeting MacOS 14 Sonoma, the upcoming MacOS release that is currently in beta.

Key Takeaways

  • Realst is a Rust-based infostealer created to target MacOS devices. 
  • Realst is distributed via fake blockchain games.
  • It is capable of stealing data from multiple browsers and cryptocurrency wallets, as well as Telegram and Keychain data.
  • Some Realst variants are capable of targeting MacOS 14 Sonoma, the upcoming MacOS release that is currently in beta.

What is Realst?

Sentinel One recently reported on Realst, an infostealer created to target MacOS devices. Security researcher iamdeadlyz had first reported on Realst, which they found hidden in fake blockchain games. The games associated with this activity include Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

Realst is written in Rust. It targets Mac OS X 10.12 and later works on MacOS 14 Sonoma, the upcoming MacOS release that is currently in beta. It is capable of stealing data from multiple browsers and cryptocurrency wallets. Affected browsers include Chrome, Brave, Opera, OperaGX, Firefox, and Vivaldi. Affected crypto wallets and extensions include Metamask, Binance Wallet, Trust Wallet, Martian Wallet, Pontem Aptos Wallet, Petra Aptos Wallet, TronLink, Nami, Temple, and Phantom. Realst also targets Telegram and Keychain data.

According to iamdeadlyz, victims are lured into downloading the games via social media or Discord advertisements, or direct messages promoting the games. To add to the sense of legitimacy, in some cases, the lure accounts give the victim access or a referral code that is needed to download the files.

In one of the versions iamdeadlyz analyzed, when the victim launches the .pkg file, an installer window is displayed. After installation, a postinstall script launches a Mach-O executable, and a terminal window is displayed asking the victim to enter their password to install the “game”. In the background, tools are installed to steal user data, which is compressed into a ZIP archive and sent to the C2. Iamdeadlyz discovered at least five different execution chains, which varied based on the game being used to install Realst.

Sentinel One built on iamdeadlyz’s research, analyzing 59 different Realst samples. Out of those samples, they noted at least 16 Realst variants. Approximately one third of Realst samples included strings targeting MacOS 14 Sonoma.

IOCs

PolySwarm has multiple samples of Realst.

 

73fd60f1f2d027f4f5a01c3914c7a5701ade6d91e5b14610303dd7f7395b7fb8

90a1d3f0bd80579dd294326ff4003c6e4e9ddce30ef2d2937dbe203379ac4902

599f7e21662b2024d70447dba643eabd8f0e4088f06991ef5b6d9668c7c11a6e

bdba1cf7fb72b7f90ddf0224a051f13af81514a7d93f68d1750146623d451708

944da64d28ee16dfcdd944f541aaf04e852e011e770b5c2b3aa84b4004866159

4006593059b92aca302dd0d71751345e139b6c7590cf5712cb8d6b54f1d5c823

e13b786e31ecac1c53069a629c2e1905eebfef9044608f8cae9abdc9b6c4c523

8f362e4859155d999e4a0972caa4af5212276e88a0569a5e93e71438aad2e545

9efa01da110380b8cc710c7000f0fd7c32a3ca07006f00f97b202dc435fea77b

5cfc5d35071521d572d2fa0e82875b4a5a4647fa20dd054242d5ad88b89f75c5

c729f5715ca5a6039562d9cc52b65cc7ce16ef1ed1451cfc812c7654fa8e3c48

4b93ec3fd49c0111e8a11ac8a0a197f5366cda19732932ce4cb84e024c648a38

2c321b1416fb7226bffd1633a2a053ef3921fef9a1de5c49b71ef9c7b0914b00

2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2

7e3d69ec2da5a65466e4ef4a0f4b715d31fee0000ef4318eab8914e9bf030024

64fec4bcd85b3e2129c0e1f3a0201f6effb5667f52067caeba21cade08cd7b94

fc438c6e231c80c0d5de5b5a194fdba87f88e334414b248047c5e412ed613a6a

b08740de7bd8d6805ca2c3c8be1db69fbb7aa9bd6aad1c0582881e4196574aa9

e581b456d13a52ac58f91f47916950b6e7442c54d7dfb15b76fff844e00e0382

ccbb7510e84df49e1e6bd523ec739ddec71b67e84269d065b0d0ea3942f30471

f5644d70a9885e17dcde888c0270d1b78a0358bb766fccb331742c00c34dda9b

0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0

e39cca965dbf7957d04f848572aacfbb736e6aff71e319a788c3f61e52abe795

2c0cc8b60e502e9a2a82a1a6acdfa340ff43608dd6fdad32db9ce99b383513e3

fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2

03044ce1dea80b43b94497cc7bad22eb3e9c4c7bd4b4d13f74432152fed19411

78b2fa0df9fba56ba6a773faa0d280977a1a830fce4f2427935f87de11cb9012

28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6

e8b7e12a44d7c605762e8a3220d26c53ee6c179f02f607c899d4e08a8132f6c5

e0eeb9b87c7ca8b812e9e9a3b6711e0200c80883780b59a3c258c8a3c0d73a29

ff7b879e7fb4f58c954e46125f0c58f2e413a8a729c5e9e3353152cc8e2509f8

149784b07294ec991db4ed913ff726a602d6e071899ddb051a05498a3790bd63

a0b8789ef3249b5fa8eb3590cd6f183e24273b5886560233025fc9d8de52ce0b

8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af

1a5db06dca0667a72d24e092c81f1a3a6d8b535696813012cdc636fc652de743

0c0402c76d738c4786a94e9b99d94a99288d8c0a8ce5b4c9dffa80d9e14605dd

617ee1c508015a1a42a8aa4ae42b153ad6ca4118fec7d4b7d6a9242e7006c105

0a4f053791180ed2b3f95774dd11e0b87a72ad8681e28ea70df790d5fb955525

7a4ad05505828bc3be80f1fbf69ad4dde72f9a10bcedeb213e568d564e51ad4d

40c3052d5fb6f0e7856dd0b1102925746b876cc8e6f2beaff250c7c6e9d2fb0b

29e53aedc94da406bb495caaba282fabd7bc7d73d9cd0b969d8509dfda92dd3a

00dc363063917641ae11eab414a6e2ae8f2e6d671e163339f7b71577f702d068

9b7bf24cd1b0ae4cc88dab9be6789900454d0a8435124f599bc914998b4ea164

41423f4119cdf51b79984141ccbbc774e257fb99670a9b73953b40e1a209d632

34a16ec7e28ad7fe314a6bc0bb4b5a44f025cf3712a7737c13898e6003dcf9f0

016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74

 

You can use the following CLI command to search for all Realst samples in our portal:

$ polyswarm link list -f Realst

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog Subscribe to our reports