9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only unified platform. Everything we do is about ensuring Apple devices are ready to work and secure across the enterprise. Our unique, end-to-end approach to management and security combines Apple’s most advanced security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and exclusive privilege management with Apple’s most powerful and advanced MDM on the market. The result is a fully automated, unified Apple platform that is now trusted by over 45,000 organizations to make millions of Apple devices work effortlessly and affordably. Request an EXTENDED TRIAL today and see why Mosyle is all you need for your Apple experience.
The Mac-infecting crypto-stealer Realst is back. It’s been a year since the malware emerged as a tool for cybercriminals to siphon cryptocurrency from wallets and steal other credentials. It was initially distributed via fake blockchain games, as I reported at the time. Now, however, it appears to be targeting Web3 developers in a targeted phishing campaign.
A recent report from Cado Security shows cybercriminals posing as recruiters, luring victims with fake job offers via social platforms like Telegram and X. This tactic isn’t all that new. If you recall, around the middle of last year, we saw a flurry of headlines about scammers posing as well-known companies and recruiting people for fake jobs on LinkedIn.
What makes this particular attack different is that instead of asking victims for personal information like a driver’s license, social security, or bank account number to fill out “employment paperwork,” they are asked to download a fake video meeting app. Once installed, Realst quickly steals sensitive data like browser cookies, login credentials, and crypto wallets. This usually happens without the victim even noticing.
Interestingly, it has also been discovered that even before the malware is downloaded, some of the fake sites contain hidden JavaScript that can drain crypto wallets stored in the victim’s browser.
Cado Security says the attackers are also using AI-generated websites to avoid detection, quickly burning through multiple domains like Meeten[.]org and Clusee[.]com. This fast-paced, iterative strategy, coupled with AI-generated content for fake corporate blogs and social profiles, shows just how sophisticated they can be.
When users download the “meeting tool,” the Realst malware is activated and begins searching for and extracting the following:
- Telegram credentials
- Bank card details
- Keychain credentials
- Browser cookies and autofill credentials from Google Chrome, Opera, Brave, Edge, and Arc. Safari was not listed.
- Ledger wallets
- Trezor wallets
A malicious website containing the Realst malware for MacOS and Windows.
To stay safe, avoid unverified downloads, enable multi-factor authentication, never store cryptographic credentials in browsers, and use trusted video apps like Zoom when hosting meetings. You should always exercise caution when approached about business opportunities on Telegram and other social apps. Even if the message comes from a known contact, always verify the authenticity of the account and be careful when clicking on links.
Cado Security’s full report can be found here.
More on Apple Security
- A newly released app lets you regularly scan your iPhone for Pegasus spyware, which can access almost all the data on the phone, for a one-time fee of just one dollar.
- Moonlock Lab has published its 2024 Threat Landscape Report, detailing how AI tools like ChatGPT are helping write malicious scripts, the move to Malware-as-a-Service (MaaS), and other interesting stats the company is seeing through its internal data.
- Apple’s Passwords app now has a Firefox extension for Mac. Interestingly, the Reddit thread shows that this extension appears to have been created by a third-party developer. But Apple appears to have taken on its own branding and name.
- Mosyle exclusively reveals to 9to5Mac details of a new family of Mac malware downloaders. The Mosyle security research team discovered that these new threats are written in unconventional programming languages and use several other stealthy techniques to avoid detection.
Follow Arin: Twitter/X, LinkedIn, Threads
