![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/12\/Trojan-horse-Apple-macOS-videoconferencing-app-600x300-1.jpg\")
<\/p>\n<\/p>\n
The Mac malware family Realst Stealer is back in the news. Reports indicate that a recent malware campaign has been tricking victims into installing videoconferencing meeting software. But this software is actually a Trojan horse with password-stealing capabilities.<\/p>\n
Let’s explore what we know about this active Mac malware campaign.<\/p>\n
In this article:<\/em><\/p>\n In a recent campaign, threat actors have been targeting people looking for a job at a “Web3” company; i.e. working with technologies such as blockchains, NFTs, or cryptocurrencies similar to Bitcoin.<\/p>\n Victims may be invited to a call, and are given a link to a site that claims to offer meeting software for Mac or Windows. The site and software may go by any number of names; so far, they have reportedly included Meeten, Meetio, Meetone, Clusee, and Cuesee. As of when this article is being published, the Meetio[.]one and Meeten[.]org sites are currently online<\/strong>, and some browsers are not yet detecting these sites as malicious<\/strong>. A site delivering secondary payloads, deliverynetwork[.]observer, is still online<\/strong> as well.<\/p>\n It’s worth noting that the same fake meeting software could potentially be used in other scam campaigns<\/strong> as well. You may not work in Web3 technology, but a variation of the scam could be used against you regardless of your interests.<\/p>\n These Trojan horse applications are built using the Electron framework<\/a>. Electron is a free, open-source software framework that makes it easy to build cross-platform apps\u2014including malware.<\/a><\/p>\n The malware will attempt to steal sensitive data<\/strong> from the macOS Keychain (i.e. Passwords database)<\/a>, various Chromium-based browsers<\/a> (namely Google Chrome, Microsoft Edge, Arc, Brave, Opera, Vivaldi, and the Vietnamese browser C\u1ed1c C\u1ed1c), the Telegram Messenger app<\/a>, and popular cryptocurrency<\/a> wallets.<\/p>\n Among the data stolen from browsers are cookies<\/strong> (which can often be reused on an attacker’s system to bypass passwords and two-factor authentication) and autofill data<\/strong>, potentially including usernames and passwords.<\/p>\n These Trojans may be variants of Realst Stealer. Realst came to light around mid-2023, when it was observed in sophisticated campaigns targeting gamers interested in NFT and Web3 video games<\/a>. We also reported about Realst’s recruiting efforts<\/a> shortly thereafter.<\/a><\/p>\n\n
How is the malware currently spreading?<\/h3>\n
What does the malware do?<\/h3>\n