Security Bite: Realst malware returns to cash in on crypto boom

Arin Waichulis | Dec 16 2024 - 8:17 am PT

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

The Mac-infecting Realst crypto stealer is back. It’s been over a year since the malware emerged as a tool for cybercriminals to drain cryptocurrency from wallets and steal other credentials. It was initially disseminated through fake blockchain games, as I reported at the time. However, it now appears to be directed at Web3 developers in a targeted spear-phishing campaign.

In a recent report from Cado Security, cybercriminals are posing as recruiters, luring victims with fake job offers through social platforms like Telegram and X. This tactic is not all that new. If you recall, around mid-last year, we got a flurry of headlines of scammers impersonating well-known companies and recruiting for fake jobs on LinkedIn.

What sets this particular attack apart is that instead of asking victims for personal information like a driver’s license, Social Security, or bank account number to fill out “employment paperwork,” they are asked to download a fake video meeting app. Once installed, Realst rapidly works to steal sensitive data like browser cookies, credentials, and crypto wallets. This usually happens without the victim even noticing.

Interestingly, it was also discovered that even before downloading the malware, some fake sites contain hidden JavaScript capable of draining crypto wallets stored in the victim’s browser.

Cado Security says attackers also use AI-generated websites to evade detection, quickly burning through multiple domains, such as Meeten[.]org and Clusee[.]com. This rapid cycling strategy, combined with AI-generated content for fake company blogs and social profiles, shows how sophisticated they can be.

When users download the “meeting tool,” the Realst malware activates and begins to look for and exfiltrate the following:

Telegram credentials
Banking card details
Keychain credentials
Browser cookies and autofill credentials from Google Chrome, Opera, Brave, Edge, and Arc. Safari was not listed.
Ledger Wallets
Trezor Wallets

Malicious website containing Realst malware for both MacOS and Windows.

To stay safe, avoid unverified downloads, enable multi-factor authentication, never store crypto credentials in browsers, and use trusted video apps like Zoom when setting up meetings. One should always exercise caution when being approached about business opportunities on Telegram and other social apps. Even if the message appears to come from a known contact, always verify the account’s authenticity and exercise caution when clicking on links.

You can find Cado Security’s full report here.