Users of macOS devices are being warned to exercise caution when downloading and using free blockchain games. In recent weeks, a threat actor has been circulating several blockchain games with enticing titles like Brawl Earth, WildWorld, Evolion, Pearl, SaintLegend, and Olymp of Reptiles. However, these games are not what they seem, as they are actually a form of malware known as Realst, designed to steal information from macOS users.
According to a report from security vendor SentinelOne, users who have downloaded these games have had their cryptocurrency wallets drained and their stored passwords and browser data stolen. SentinelOne recently analyzed 59 samples of Realst and discovered 16 variants. Interestingly, around a third of the samples had code strings that suggested the threat actor was targeting macOS 14 Sonoma, a beta version of the operating system set to be released later this year. Some of the samples even had revoked Apple Developer IDs.
The Realst infostealer campaign is believed to be linked to another malware called PureLand, which first emerged in March. PureLand targeted various data types from macOS users, including session cookies, keychains, and SSH keys. The extensive number of Realst samples and variants indicates that the threat actor has invested significant effort in targeting macOS users for crypto wallet and data theft.
However, Realst is not the only infostealer affecting macOS devices recently. Guardz, another security firm, recently reported on a malware called ShadowVault that has been made available for rent on an underground forum. ShadowVault collects various types of sensitive data, including login credentials, financial information, personally identifiable information (PII), and seed phrases used to recover cryptocurrency wallets.
While the Realst campaign may primarily target individual consumers, enterprise organizations can also be impacted if employees are enticed by the promise of free blockchain games. Phil Stokes, a threat researcher at SentinelOne, warns that companies allowing users to download and launch software without pre-approval from IT or security teams can become collateral victims. Stokes also highlights that certain malicious components of Realst are currently not blocked by Apple’s XProtect service, meaning they can bypass security checks.
The Realst infostealer campaign was first reported by security researcher iamdeadlyz, who described the malware as being written in the Rust programming language and targeting data from various browsers, cryptocurrency wallets, and browser extensions. The malware specifically targets browsers such as Chrome, Brave, Opera, OperaGX, Firefox, and Vivaldi, as well as wallets and extensions like Binance Wallet, Trust Wallet, Metamask, Martian Wallet, and TronLink. It also goes after the popular messaging app Telegram.
To lend authenticity to the fake blockchain games, the threat actors behind the Realst campaign have set up malicious websites for each game and created associated Discord and Twitter accounts. They have approached potential victims through direct messages on social media, inviting them to try out the games. These messages give the impression that the games and websites are genuine.
For example, SentinelOne shared a message purportedly from the “community manager” of “Olymp of Reptiles” asking recipients if they were interested in becoming paid testers for the game. The associated X profile for Olymp of Reptiles had 2,018 followers and promoted the game as the “brand new, absolutely best trading card game” currently in open beta testing. Another game, Brawl Earth, had an X profile established in 2014 and 1,391 followers. A tweet on May 24 announced the availability of 2,000 spots for testers.
Unfortunately, many individuals fell victim to the lure of these games and subsequently had their crypto wallets drained. One victim, who claimed to be a security engineer, reported having their wallet emptied just 10 minutes after downloading the Brawl Earth game. They had believed the project to be legitimate, as it had extensive documentation, a Twitter account with followers, and a Discord community with hundreds of users.
In conclusion, macOS users should exercise caution when downloading and using free blockchain games. The Realst infostealer campaign highlights the importance of verifying the authenticity of such games before installing them to avoid falling victim to data theft or cryptocurrency wallet drainage. Additionally, enterprises should implement strict approval processes for downloading and launching software to minimize the risk of being collateral victims.