![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/08\/Mac-malware-poses-as-Dinosaur-NFT-battle-game-600x400-1.jpg\")
<\/p>\n<\/p>\n
In early July, malware researcher iamdeadlyz wrote up a detailed report about some new Mac malware dubbed Realst Stealer. Since at least last year, iamdeadlyz has been researching RedLine Stealer, PureLand<\/a>, and related malware that steals cryptocurrency.<\/p>\n Several people had reported to iamdeadlyz about a variety of fake video games. Each one looks legitimate on the surface; they have their own Twitter and YouTube accounts, Discord servers, blogs, and more. It turns out that these supposed games are in fact Trojan horse malware. It appears that the same malware gang developed the latest fake games as well.<\/p>\n Some, but not all, of the games are allegedly built on various blockchains or self-describe as NFT games. Blockchains<\/a> and non-fungible tokens (NFTs)<\/a> are technologies that are typically of interest to people who own cryptocurrency. Thus, the developers of these fake games target individuals who are likely to have crypto wallets.<\/p>\n The primary goal of Realst Stealer seem to be robbing cryptocurrency wallets on infected Macs. Realst targets at least ten different crypto wallet browser extensions.<\/p>\n But even if a victim isn’t interested in blockchains or NFTs, the Trojan malware will attempt to exfiltrate their macOS Keychain. It also targets Telegram<\/a> data, if the user has the messaging app installed on their Mac.<\/p>\n Realst Stealer targets every popular Mac browser<\/a>, with two surprising exceptions: Apple’s Safari and Microsoft Edge. Safari’s omission seems understandable; perhaps the developers are more accustomed to writing Windows malware. But Edge’s omission is a bit of a mystery; after all, it’s bundled with Windows, and it’s Chromium-based, like most of the other browsers Realst targets.<\/p>\n The malware specifically targets Google Chrome, Mozilla Firefox, Brave, Opera, Opera GX (a “gaming browser”), and Vivaldi.<\/p>\n Some of the known Trojan horse games’ names are as follows:<\/p>\n Surprisingly, some of these Trojan horse games still have accounts on Twitter\/X that haven’t been deleted or suspended yet. The “brawlearth” account has removed its profile images, name, bio, and location. However, four other accounts (GuardiansMeta, olympreptiles, RyzeX_web3, and WildmenWorld) remain open, albeit inactive since March, April, or June.<\/p>\n In a later analysis of Realst Stealer, Mac malware analyst Phil Stokes notes<\/a> that several samples contain references in their code to macOS Sonoma<\/a>, Apple’s upcoming Mac operating system.<\/p>\n This seems to suggest that Realst Stealer’s developers may already be testing beta versions of Sonoma to verify day-one compatibility with Apple’s shiny new OS.<\/a><\/p>\n If you believe your Mac may be infected\u2014or to prevent future infections\u2014use trusted antivirus software. VirusBarrier is award-winning<\/a> antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.<\/p>\n Additionally, if you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from data stealers and other PC malware.<\/p>\n VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.<\/a><\/span><\/p>\n For lots of additional technical details about the ShadowVault malware, you can read the original write-up by iamdeadlyz<\/a>, and an additional deep-dive analysis by Phil Stokes<\/a>.<\/p>\n Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Realst Stealer disguises itself as Mac video games, but it actually tries to steal your wallets and passwords. And it seems to be ready for macOS Sonoma.<\/p>\n","protected":false},"author":14,"featured_media":98587,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[86,4722,132],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\nWhat does Realst Stealer malware do?<\/h3>\n
Which games does Realst Stealer masquerade as?<\/h3>\n
\n
Some samples seem to be ready for macOS Sonoma<\/h3>\n
How can one remove or prevent Mac malware like Realst Stealer?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate Mac malware, including Realst Stealer and similar threats.<\/p>\nHow can I learn more?<\/h3>\n
![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Twitter-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Facebook-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/YouTube-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Pinterest-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/LinkedIn-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Instagram-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"