Massive macOS Campaign Targets Crypto Wallets, Data

Users of macOS devices on the hunt for free blockchain games might want to put in some extra effort at verifying the authenticity of the games before downloading and using them.

In recent weeks, a threat actor has been pushing several blockchain games with interesting sounding titles such Brawl Earth, WildWorld, Evolion, Pearl, SaintLegend, and Olymp of Reptiles that in reality are an information stealer dubbed Realst aimed at macOS users.

Fake Blockchain Games

Blockchain gamers that downloaded the games have ended up with their cryptocurrency wallets drained in a hurry or having their stored password and browser data stolen, SentinelOne warned in a report this week.

The security vendor recently analyzed 59 Realst samples and discovered 16 variants in the data set. About a third of the samples had code strings in them that suggest the threat actor is already targeting macOS 14 Sonoma — a version of the operating system that is still in beta testing and which Apple expects to release later this year. Some of the samples were digitally signed with an Apple Developer ID, that has since been revoked, SentineOne said.

The security vendor has assessed the Realst infostealer campaign is likely linked to another infostealer called PureLand that surfaced in March and targeted seven data types from macOS users, including session cookies, keychains, and SSH keys. The sheer number of Realst samples and variants suggests the threat actor has expended considerable effort in targeting macOS users for crypto wallet and data theft, SentinelOne said.

Realst and PureLand are not the only macOS infostealers to surface lately. Earlier this month, researchers at Guardz reported on another macOS stealer called ShadowVault that a threat actor has made available for rent in an underground forum. Guardz's analysis showed the malware collecting a wide range of data including login credentials, financial data, PII, and so-called seed phrases for recovering and restoring cryptocurrency wallets.

Enterprises Can Become Victims, Too

While the Realst campaign might appear targeted mainly at individual consumers, enterprise organizations can become collateral victims, says Phil Stokes, threat researcher at SentinelOne.

"Enterprises that allow users to download and launch software without pre-approval from IT [or] security teams can be impacted if employees are enticed by the lure," Stokes says. "Although the campaign we reported on is using the promise of free blockchain games to attract victims, the lure could easily be changed to virtually anything else."

It's also important to note that several malicious components of the Realst infostealer are not currently blocked by Apple's XProtect service, Stokes warns. "And developer-signed and ad hoc-signed versions have been identified — meaning these currently pass Apple's Gatekeeper and code signing checks and are not prevented from launching," he says.

Security researcher iamdeadlyz was the first to report on the Realst infostealer campaign targeting macOS users. In a report from March, the researcher described the malware as written in the Rust programming language and targeting data stored in a variety of browsers, cryptocurrency wallets, and browser extensions. Targeted browsers include Chrome, Brave, Opera, OperaGX, Firfox, and Vivaldi. Targeted wallets and extensions include Binance Wallet, Trust Wallet, Metamask, Martian Wallet, and TronLink, a crypto wallet that is available as a browser extension. The malware also targets the Telegram messaging app.

Websites, Discord, and X Accounts

According to SentinelOne, the threat actors behind the Realst campaign have set up malicious websites for each of the fake blockchain games and for added effect have created associated Discord and X (the platform formerly known as Twitter) accounts, so users are lulled into believing the games and the websites are authentic.

In many instances the threat actor has approached potential victims through direct messages on social media, inviting them to try out the games. One such message, which SentinelOne posted in its blog, purported to be from the "community manager" of "Olymp of Reptiles" and inquired about the recipients' interest in becoming a paid tester for the game.

Olymp of Reptiles' X profile indicated the account had 2,018 followers and advertised the game as a "brand new, absolutely best trading card game" that had just started open beta testing. Brawl Earth's X profile, meanwhile, suggested the owner established the account in 2014 and had 1,391 followers. A May 24 tweet announced the availability of 2,000 spots for testers to play the game before its general release.

"Individuals who fell for the lures soon found that they had become victims of theft," SentinelOne's Stokes says.

One victim, who claimed to be a security engineer on their X profile, warned about their crypto wallet being drained barely 10 minutes after the user had downloaded the Brawl Earth game. "Project look serious, plenty of docs, twitter with followers, discord with hundreds of users. Before the meeting I decide to test it, there is a real playable game," the victim noted on the X platform.