Page 3 - Cyber Byte August 2023
P. 3

is   “chainbreaker,” games specifically  target  cryptocurrency
                                     an      open-source users, the main goal is likely to steal crypto
                                     macOS       keychain wallets and the funds within them, leading to
                                     database password,  costly attacks.
                                     keys, and certificates   Conclusion
                                     e x t r a c t o r .                          Researchers claim that the info-
                                     SentinelOne found        stealer is still in development. Furthermore,
                                     that some  samples       attackers  are  using tricks to lure  gamers
                                     are      codesigned      with  money,  which  is a  red  flag against
                                     using valid  (now        downloading  these games. As the  malware
                                     revoked)        Apple    authors are preparing for successful attacks
        Developer  IDs, or  ad-hoc  signatures,  to           against  Apple’s forthcoming desktop OS
        bypass detection from security tools.                 release, users are advised to be cautious with
                                                              downloading blockchain games from Discord
        The variants                                          and Twitter.
                               All 16 distinct Realst variants
        analyzed  by  SentinelOne are  fairly  similar
        in form and function,  although  they utilize
        different    API call  sets.  In  all cases,  the     B) Mallox Ransomware:
        malware  targets  Firefox,  Chrome,  Opera,
        Brave, Vivaldi, and the Telegram app,  but                                      Mallox ransomware
        none of the analyzed Realst samples target            activity is  targeting  unpatched  and/or
        Safari. “Most variants attempt to grab  the           unsecure Microsoft SQL (MS-SQL) servers to
        user’s password via osascript and AppleScript         gain  initial access to  victim networks.  After
        spoofing and perform rudimentary checking             initial access is gained,  the adversary  uses
        that the host device is not a virtual machine         a  legitimate MS-SQL process to  download
        via sysctl -n hw.model,” explains SentinelOne         the  malware  i.e.  SQLSERVR.EXE  via  cmd.
        in the report. “Collected data is dropped in          exe and PowerShell, which generates  and
        a  folder  simply named  “data”  [which]  may         executes a BAT file (system.bat). The BAT
        appear in one of several locations depending          file initiates the bulk of         commands
        on the version of the malware: in the user’s          that help facilitate much                   of the
        home folder,  in the  working  directory  of          attack chain prior                              t o
        the malware, or in a folder named after the           ransomware
        parent game.”                                         execution,
                           Roughly 30% of the samples         such      as
        from families A, B, and D contain strings that
        target  the upcoming macOS 14 Sonoma.
        The  presence  of  those  strings  shows that
        the  malware  authors  are  already  preparing
        for Apple’s forthcoming desktop OS release,
        ensuring that Realst will be compatible and
        working as expected. MacOS users are advised
        to be cautious with blockchain games, as those
        distributing Realst use Discord channels and
        “verified”  Twitter  accounts  to  create  a  false
        image of legitimacy. Furthermore,  as these



        COMN. & IT DIRECTORATE, CRPF                                                Design By : Ajay Tomar          3
   1   2   3   4   5   6   7