Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware
Intro
Last April, ReDzin asked me about a project named "Pearl Land Metaverse", which he found sketchy. The funny thing is that it's the same fake project I covered previously, PureLand, but with the name being changed.
Then in May, several individuals pinged about other projects: Destruction, Evolion, Olymp of Reptiles, and Brawl Earth. Later on, I found similar fake projects named RyzeX, Dawn Land MetaWorld, and WildWorld. An old fake project that I've been monitoring since last year has also followed the same patterns.
As usual, they distribute RedLine Stealer malware. Though what caught my interest the most was their macOS build. It's new, so there is no public intel about this...yet.
Lures, codes, and workers
The targets are lured into running the malicious applications by the workers via direct messaging them or by simply posting an advertisement.
Usually, they give out "access/referral codes" as the form on the website asks for it to be able to download the file/s.
There are instances where the download buttons are displayed on the website immediately.
The "access/referral codes" aim to identify which worker lured the target into downloading the malicious file/s. Here are some examples:
Pearl Metaverse Land code input
Once the target enters the code, a POST request is sent to the backend to check it.
Take note of the worker @MonkeyyDrainer, it is a Telegram username and we will see it again later. (Worth mentioning that a malicious actor known as "Monkey Drainer" operated a cryptocurrency wallet drainer as a service in the past. It is unknown whether @MonkeyyDrainer is a big fan or an alt account.)
One can also peek at the page's source to see what's happening, this shows the comments in Russian, Dropbox links, and methods to notify the malicious actors.
Dawn Land MetaWorld code input
If you've noticed earlier, the page for the code input is similar to Pearl Metaverse Land. The JavaScript code is also similar.
Evolion code input
Once the code is entered and the download button is clicked, code.json is retrieved, which contains the id, code, worker, and download link.
You may have noticed that 12 is prefixed for most workers. Simply change it to @ to turn it into a Telegram username. We can see @MonkeyyDrainer again on IDs 94 to 96.
Just recently, they updated their JavaScript code and code.json to check the OS of the target, add more workers, and change the download links.
Destruction code input
This one is pretty interesting. Although the code was not asked on the website, it is required once their Windows "launcher" is opened.
Using horsicq's Detect It Easy, we can determine that the executable file was created using Nullsoft Scriptable Install System (NSIS), and we can extract the data since it is a self-contained executable installer.
We can infer from the extracted data that the Electron framework was used to create the application.
The way the application was packed is the same as the previous finding for PureLand. After extracting the Atom Shell Archive (.asar), we can see that the Telegram bot token & channel ID to notify the malicious actors and the MySQL database to validate the code are exposed. The method to load the RedLine Stealer malware is also present, which will be discussed later.
We can then query the Telegram details using the Telegram bot token, channel ID, and their worker_id as their user ID.
Guardians of the Throne code input
A POST request is sent to https://guardians-game[.]com/api.php with the form data of login, password, referral, code, key, and type.
Once valid, a download button appears on the page. A POST request is sent to https://guardians-game[.]com/message.php when the download button is clicked. The file to be downloaded depends on the referral code that was used. Also, the download link is encoded in Base64, which is seen on the value for the out.
There's also a fallback to download a Windows portable executable file when the download type does not match either of the first two if conditions.
This fallback part was then removed later on.
Another interesting part here is that the app.asar for their Windows build, GuardiansLauncher.exe (SHA256: 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce), has the api.php file like what was found on Destruction code input. It uses the same Telegram bot, MySQL server (37.220.87[.]1), and credentials.
Olymp of Reptiles code input
This one is unique. It simply checks whether if the code is valid and then redirects to the download link. Since ?dl=1 was queried, the target doesn't see the Dropbox page; rather the file is downloaded immediately (or if the target has enabled the "ask where to save each file" then is prompted to do so).
Overlapping workers
@MonkeyyDrainer was both present on Pearl Land Metaverse and Evolion
@Ombrre was both present on Evolion and Destruction
This can be a good indication that the same group is behind this malware campaign. Further evidence will be provided below.
RedLine Stealer - Windows
Heads up, execution chains 1 to 4 make use of the NSIS installer and Electron framework.
Execution Chain 1
NSIS installer (.exe) -> Electron application (.exe) -> check if registration/login is successful -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> RedLine
Continuing the discussion about the Windows launcher for Destruction earlier...it checks first whether the registration or login is successful via the api.php earlier, which can be seen below.
If successful, launchApp() will be called, then:
The file name is generated (DestructionGame + random number from 0 to 10 + .exe)
If the file name already exists, then it is executed and the malicious actors will be notified (sendRequest() -> POST to
https://playdestruction[.]com/api[.]php)Otherwise, the JSON data will be retrieved, and the malicious actors will be notified along the way.
It will then be converted into a buffer and then written into a file
Finally, the file size is inflated with 750,000,000 bytes of garbage data and then executed as a child process. It connects to the C&C server
78.153.130[.]209:29996
Here's the output from http://launchersgame[.]eu-4[.]evennode[.]com/getbytes/d
The magic header can be seen in the first two bytes, then so on and so forth.
Worth mentioning that even though it checks for the installed version of the .NET framework, it does not stop the user from proceeding even if the target version of at least 4.8 is not met.
A similar method is observed for GuardiansLauncher.exe / GuardiansCatalog.exe (SHA256: 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce). However, the only difference is that it doesn't have the referral code field.
This one retrieves the bytes.json from http://sandersrocketaa.eu-4.evennode[.]com/getbytes/g . The RedLine Stealer build connects to the C&C: 212.113.116[.]143:29996
Execution Chain 2
NSIS installer (.exe) -> Electron application (.exe) -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> RedLine
This one does not validate anything nor notify the malicious actors. Clicking the "JOIN GAME" button will invoke joinBtn() and then injectLauncher() to retrieve the JSON data from http://pearlapi[.]eu-4[.]evennode[.]com/bytes, convert to a buffer, write to a file, and then execute the RedLine Stealer malware, which connects to the C&C server 78.153.130[.]209:29996 again.
Execution Chain 3
NSIS installer (.exe) -> Electron application (.exe) -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> powershell -> RedLine
This is an updated version of the "Pearl Land Launcher". The executable file that is based on the retrieved new (https://peallandik[.]eu-4[.]evennode[.]com/bytes) JSON data executes a command to download a Powershell script from Discord CDN and runs it.
The command is:
Although the Powershell script is obfuscated, it can still be deobfuscated to give us an overview of what is happening.
Here's a basic overview:
It is importing
VirtualAllocfromkernel32.dllandCallWindowProcfromuser32.dllAllocates a memory
Copies the shellcode and payload to the allocated memory
Wait for 10 seconds
Then execute the shellcode and use the payload to
AppLaunch.exe, which connects to C&C server212.113.116[.]143:46628
Since the payload is encoded in Base64, we can decode it to turn it into an executable file.
Execution Chain 4
NSIS installer (.exe) -> Electron application (.exe) -> CMD -> .exe -> .exe -> RedLine
This one does not retrieve any data externally.
Once it opens the Electron application, a command (C:\Windows\system32\cmd.exe /d /s /c "resources\launcherApp\OlympOfReptiles.exe") is done, opening another file that acts as the GUI. It also sends a POST request to hxxp://cdn[.]olympreptiles[.]com/launcher[.]php to notify the malicious actors that the launcher was opened.
Once "INSTALL" is clicked, a fake progress bar is displayed.
It then creates a .data file, which is actually a .zip file. It is likely derived from the executable file, given the presence and linking of the zlib1.dll.
The extracted file is a portable executable. The first 4 bytes were populated with "data" (64 61 74 61). Correcting it with the magic header of 4d 5a 90 and a null (00) will fix the file. This is automatically done by the "launcher".
It is the pumped build of the RedLine Stealer malware, which connects to the C&C server 78.153.130[.]209:29996 again.
Execution Chain 5
NSIS installer (.exe) -> Electron application (.exe) -> Pastebin -> ZIP archive from Dropbox -> .exe -> RedLine
This execution chain follows the same previously discussed method on the PureLand findings.
Once the Let's go! button is clicked, it invokes the checkUpdate() function and sends a message with the event name check-update. It then invokes get_update with the obfuscated raw Pastebin (https://pastebin[.]com/raw/kYpkEwn3) as the parameter. The content of the raw Pastebin is https://www.dropbox[.]com/s/k0ejw58dy5u4vsf/Veonikdfkdks.7z?dl=1 (SHA256: 7695a29f94c9ab1075804d5b2682a45abf67f78260a6cdf74fb91eff5e92b847).
It then uses the Dropbox download link in the make_backup function to download the file and save it in the temporary directory with the folder name made up of a random alphanumeric string. The executable file, Veonis.exe (SHA256: f0065ff34a2c065c9b98697fe6cb2368924150face5082a0bf286de7eb623f4c), is extracted from the 7z archive using the filename as the password, which is Veonikdfkdks. It is a pumped build of the RedLine Stealer which connects to the C&C server 78.153.130[.]209:29996 again.
Execution Chain 6
.NET (.exe) -> Pastebin retrieval -> .exe -> .exe -> RedLine
Next, we have a .NET executable file. It acts as a "launcher" to download the so-called "game" file.
Once the "Download" button is pressed, it requests a Pastebin paste (https://pastebin[.]com/raw/eHW6uaDH) and retrieves the file based on it (https://evoliongame[.]com/Evolion[.]sfx[.]exe). It is obfuscated when viewed using dnSpy. The method to deobfuscate it can be replicated in Python.
Evolion.sfx.exe has a ZIP archive on its overlay. Dumping the overlay and extracting its content gives us the final executable file which is the pumped build for the RedLine Stealer malware that connects to the C&C server 78.153.130[.]209:29996 again.
Execution Chain 7
.NET (.exe) -> ZIP archive retrieval -> .exe -> RedLine
This one is similar to execution chain 6.
Clicking the "Download" button retrieves a ZIP archive from http://evolion1.beget[.]tech/lklp21[.]zip with a password of lklp21
The ZIP archive contains the pumped build of RedLine Stealer which connects to C&C 78.153.130[.]209:29996 again
Execution Chain 8
.NET (.exe) -> disabling defender -> .exe -> loaded with MS Edge WebView2 -> .zip download from Dropbox -> .exe -> RedLine
This .NET executable file which also acts as a "launcher" disables Windows Defender first.
After that, it retrieves another executable file inside it as well as the WebView2Loader.dll to use the MS Edge WebView2. These are stored in the Documents folder.
The user is then presented with a GUI that gives an option to download the "game" files.
Clicking the download button retrieves a ZIP archive from Dropbox named Game.zip which can be unlocked with a password of J$~U9vu(Wl8%`wq
Thanks to the memory dump showing this: {"cmd":"downloader","callback":2182914116,"error":2614970778,"url":"https://www[.]dropbox[.]com/s/kesgp2k48srhkiv/Game[.]zip?dl=1","path":"./Game.zip","password":"J$~U9vu(Wl8%`wq","id":"module"}
The extracted executable file is a pumped build of a RedLine Stealer malware which connects to the following C&C servers (also used on the discussed execution chains earlier):
78.153.130[.]209:29996(checked on 5/24/2023 - file shown on the left)212.113.116[.]143:23052(checked on 6/7/2023 - same IP but different port from earlier - file shown on the right)
Execution Chain 9
.exe -> RedLine
This one is a plain pumped build of the RedLine Stealer malware which connects to the C&C server 78.153.130[.]209:29996 again. The RAR archive can be opened using the password EvolionGame.
Evolion GitHub repository tidbits
Before proceeding with the Realst stealer, let's take a closer look at the Evolion GitHub repository. Where did this repository come from? Check the code.json (5-1-2023) again at the Evolion code input part.
Commit a739b020a7cf7301a8f0c52b209c57c4c8150b60
Launcher2.exe was added to the repository on Mar 29, 2023, 8:00 PM GMT+1
The portable executable file has a ZIP archive on its overlay. Dumping it gives us the idea that this was written in JPHP.
The entrypoint based on the application.conf is on app/forms/MainForm.phb. As it contains the CAFEBABE magic header, we can remove the other parts of the data and then decompile it using Fernflower. (Great reference: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp)
Let's highlight two interesting things:
The username ERMAK:
C:\Users\ERMAK\DevelNextProjects\Launcher2\src_generated\app\forms\MainForm.phpAnother GitHub repository and file:
https://github[.]com/Joysi888/passwords/raw/main/calc[.]exe
User Joysi888 has only one repository, which is passwords. The repository has two files named Evolion.exe and calc.exe
calc.exe (SHA256: 58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f) was uploaded on Mar 28, 2023, 7:59 PM GMT+1. It's a legitimate Windows calculator. This likely indicates that this is done for testing purposes.
Evolion.exe (SHA256: b3ed25ddfc1ec2ac796a936aa1b90f1489daf2e8520b93d20d9e27e9f3fedf65) was uploaded on Mar 28, 2023, 4:09 PM GMT+1
It's a .NET executable file that retrieves putty.exe from https://the[.]earth[.]li/~sgtatham/putty/latest/w64/putty[.]exe
putty.exe (SHA256: fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c) is a legitimate file with a valid digital signature.
Overall, it seems the malicious actors were trying to test using this other repository.
Commit 3ff21b58124330e9baa9fb9903e2e441f7ccc9d9
Order9947128.txt was added to the repository on Mar 29, 2023, 8:35 PM GMT+1
It seems to be following a format of username:password@IPaddress:portNumber. As to where and how it is used, I have no idea...
Commit 8cce0ef8fea028f1881d6ad1b3b383b94fc28cba
LoaderWPF.rar was added to the repository on Apr 23, 2023, 1:36 PM GMT+1
It contains the source code for the fake game launcher as seen on execution chain 6. Previous builds used https://pastebin[.]com/raw/yJekgtkE which can be seen on the image below.
Commit 71527377ff76e535f7941002cdbabd9fc419a986
repos.rar was added on Apr 26, 2023, 5:55 AM GMT+1
It contains the source code for the fake game launcher and the builder so they can easily create a new build with the updated environments configuration.
Realst Stealer - macOS
Why "Realst"?
Now, why did I call it "Realst"? I couldn't find anything that can be attributed to its proper name, such as a post on forums or marketplaces, whether it is about selling it or anything else. As this is written in Rust, I based it on its crate name given these symbols. (crate_name::module::function::hash)
Targeted data
==== Browsers ====
Google Chrome
Google/Chrome
Brave
BraveSoftware/Brave-Browser
Opera
com.operasoftware.Opera
OperaGX
com.operasoftware.OperaGX
Firefox
Firefox
Vivaldi
Vivaldi
==== Cryptocurrency wallets - browser extensions ====
Metamask
nkbihfbeogaeaoehlefnkodbefgpgknn
Binance Wallet
fhbohimaelbohpjbbldcngcnapndodjp
Trust Wallet
egjidjbpglichdcondbcbdnbeeppgdph
Martian Wallet
efbglgofoippbgcjepnhiblaibcnclgk
Pontem Aptos Wallet
phkbamefinggmakgklpkljjmgibohnba
Petra Aptos Wallet
ejjladinnckdgjemekebdpeokbikhfci
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
Nami
lpfcbjknijpeeillifnkikgncikgfhdo
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
==== Others ====
Telegram
/Library/Application Support/Telegram Desktop/tdata
Keychain
/Library/Keychains/login.keychain-db
Execution Chain 1
Package (.pkg) -> Mach-O -> Realst
Opening the package file will display the regular installer window. Take note of Evolion 1.6.2, we will see it again later.
Before continuing those steps, let's extract the file using unar. Based on the script of the Distribution.xml, the malicious actors target Mac OS X 10.12 or later versions.
After going through all those steps, the postinstall script launches the Mach-O executable file, and a terminal will be displayed which asks for your password to install the "game". What happens here onward is the exfiltration of the stolen data.
Once the Mach-O executable file is opened, it sends a notif to a C&C via POST tohttp://77.91.84[.]110:8000/opened with a multipart/form-data encoding type to send the buildName, buildVersion, and uid.
After entering the device's password, a "loading" screen will be displayed. It then makes use of the game.py and installer.py scripts to aid in exfiltration.
The
game.py(SHA256: 1a5db06dca0667a72d24e092c81f1a3a6d8b535696813012cdc636fc652de743) script's original filename isfirefox_decrypt.pyby unode - https://github.com/unode/firefox_decrypt
Firefox Decrypt is a tool to extract passwords from profiles of Mozilla (Fire/Water)fox™, Thunderbird®, SeaMonkey® and derivates.
The
installer.py(SHA256: 8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af) script is a combination of scripts from n0fate's chainbreaker - https://github.com/n0fate/chainbreaker
Chainbreaker can be used to extract the following types of information from an OSX keychain in a forensically sound manner
It also determines the victim's geolocation by using https://api[.]db-ip[.]com/v2/free/self (same method to all execution chains).
Additional fingerprinting is done by getting the operating system's info and username of the device (same method to all execution chains).
Once the fingerprinting and retrieval of files are done, the data gets compressed into a ZIP archive. A POST request is then sent to http://77.91.84[.]110:8000/analytics with a multipart/form-data encoding type again to send the victim's device info, the ZIP archive, and a screenshot of the victim's device.
Form field names:
name
logs_id
text
ch_text
photo
archive
If permission to capture the device's screen is not yet granted to the terminal, a prompt will show up.
The gathered data can be seen in the user's main directory. It will be deleted after the POST request to their analytics endpoint is done.
The previous builds stored the gathered data in the same folder of the Mach-O file and the Python scripts. The Python scripts then get deleted along with the data once the exfiltration is done. Some of them make use of another port as well, such as http://77.91.84[.]110:5000/opened (seen on Pearl Land Launcher without the other form fields too) and the endpoint for exfiltration is not analytics but http://77.91.84[.]110:5000/send_analytics (no logs_id in the form field).
Also worth mentioning is that an early build, Pearl Land Launcher v3.pkg (SHA256: a0b8789ef3249b5fa8eb3590cd6f183e24273b5886560233025fc9d8de52ce0b) with the build name of PearLand [1.5.4] doesn't have a validate_opening function.
Speaking of an early build, I also realized that the earliest sample I acquired was on March 28, 2023. It doesn't have the validate_opening function as well. The external script chainbreaker is only present. And for some reason, they forgot to remove the RyzeXLauncher Mach-O from their other fake project (both Mach-O files has the same hash - though they previously based the build name depending on the file name with the version hardcoded).
Execution Chain 2
Disk Image (.dmg) -> .app -> Mach-O -> .zip archive from Dropbox -> Mach-O -> Realst
Opening the disk image file will mount the virtual disk and display a window indicating that it's an installer package (drag the app to the Applications folder).
A GUI is displayed after running the application, which seems to be a "launcher" like interface.
Based on its Info.plist, the minimum macOS version to run the application is 10.13
It's interesting to see the Realst symbols are here, but with the crate_name changed to brawlearth, and they are unused. Only the downloader is utilized here.
Once the download button is clicked, it retrieves a ZIP archive from Dropbox (https://www[.]dropbox[.]com/s/8m88qcmbz7obygw/MacBrawlEarth[.]zip?dl=1) and saves it into the downloads directory with a filename of MacBrawlEarth.zip
The MacBrawlEarth.zip archive contains the BrawlEarth Mach-O, and the two Python scripts again.
The two Python scripts here are just the same scripts from earlier, the difference is just the comments were modified.
The initial comments for game.py (SHA256: 0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0) were simply removed.
The initial comments for installer.py (SHA256: 28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6) were removed as well. However, some of its functionalities that were commented out were re-enabled.
Just like the previously discussed execution chain, it sends a POST request to http://77.91.84[.]110:8000/opened with the same form data (buildName, buildVersion, uid) once the BrawlEarth Mach-O file is opened.
A terminal window is launched as well.
The gathered data is also temporarily stored in the user's main directory, and a POST request is done to http://77.91.84[.]110:8000/analytics finish the exfiltration.
Execution Chain 3
ZIP archive -> Disk Image (.dmg) -> .app -> Electron application (Mach-O) -> login/register validation -> .app -> Mach-O -> Realst
Like the execution chain 2, this is another installer package.
A launcher interface is then displayed after running the Destruction application.
The configuration and metadata of the application give us an insight that the minimum targeted macOS version is still 10.13, and the Electron framework is used here, just like the execution chain 1 for Destruction - RedLine.
It also retained some files (such asapi.php) and functions (such as inflateFile). If the registration/login is valid, it invokes the launchApp function and opens the Launcher.app located in the Resources folder as well. For some reason, they also included another Disk Image (.dmg) file here; we will take a look at it later.
Unlike earlier, where it uses a Python script directly, they are now converted to a frozen/bundled executable.
The Firefox Decrypt a.k.a game frozen/bundled executable is located at Resources/game/ and makes use of the library.zip (SHA256: ff7b879e7fb4f58c954e46125f0c58f2e413a8a729c5e9e3353152cc8e2509f8) at Resources/game/lib/.
The Chainbreaker a.k.a installer frozen/bundled executable is located atResources/extensions/ and makes use of the library.zip (SHA256: 64fec4bcd85b3e2129c0e1f3a0201f6effb5667f52067caeba21cade08cd7b94) at Resources/extensions/lib/.
The crate_name was also changed from realst to Launcher. Just like on the execution chain 2 for the downloader.
Once the Launcher.app is executed, it invokes the validate_opening function to send a POST request to http://167.172.103[.]83:8080/opened (for some reason, they named this build as test...)
After a while, a prompt asks for the victim's device password. It is noticeable that it does not display and use the terminal compared to the previously discussed execution chains.
To install please enter your password.
All data is safe
The gathered data is then temporarily stored in the Downloads folder with a folder name of brawl. They forgot to rename from their previous build, as seen on execution chain 2 - BrawlEarth.
A POST request is then sent to http://167.172.103[.]83:8080/analytics to finish the exfiltration. There's no photo in the form field since the screenshot file is compressed as part of the data.zip.
Extra Disk Image from execution chain 3
Interestingly, it is a digitally signed version of execution chain 3.
Execution Chain 4
ZIP archive -> Disk Image (.dmg) -> .app -> Electron application (Mach-O) -> .app -> Mach-O -> Realst
This one is similar to execution chain 4. The only difference is that there is no login/register validation.
Same library.zip as well.
A POST request to http://167.172.103[.]83:8080/opened again
Then the same password prompt from execution chain 3.
Gathered data are also temporarily stored at Downloads/brawl/
And lastly, the POST request to http://167.172.103[.]83:8080/analytics
Execution Chain 5
ZIP archive -> Disk Image (.dmg) -> .app -> Mach-O -> Realst
This one is fascinating since it has a fake downloader.
The downloader function is present here.
Firefox Decrypt (Resources/game/game) and Chainbreaker (Resources/extensions/installer) are included as well. 10.13 is still the minimum version based on Info.plist
After clicking the download button, a POST request is sent to http://167.172.103[.]83:8080/opened
Since the downloader function is present as seen earlier, it tries to retrieve https://www.dropbox[.]com/s/8m88qcmbz7obygw/MacBrawlEarth[.]zip?dl=1. The same Dropbox link from the fake project - BrawlEarth. If it fails, it simply proceeds to use its built-in stealer functionality.
A prompt then asks for the device password.
To install WildWorld, please enter the password
Once the password is entered, it proceeds to gather data. It is still temporarily stored at Downloads/brawl/
A POST request is still done to http://167.172.103[.]83:8080/analytics to exfiltrate the gathered data
The DOWNLOADING button then turns into a PLAY button. However, this just repeats the gathering of data and exfiltration. Though the password prompt will now say:
Something went wrong. Please reinstall.
Revisiting Execution Chain 1
0xSaiyanElite pinged about whether I had any idea about a macOS file that he came across. It turns out it is from the DawnLand fake project.
It is the latest version of the malware based on the developments from execution chains 1 to 5. Though the flow is Package (.pkg) -> Mach-O -> Realst, hence "revisiting".
The newest addition checks whether the device it runs on is a VM. It uses crate inside_vm and the function cpuid_cycle_count_avg https://docs.rs/inside-vm/latest/inside_vm/
Also, it stops when it cannot connect to http://167.172.103[.]83:8080/opened from the validate_opening function.
IOCs
RedLine Stealer
Realst Stealer
Direct links to the Evolion GitHub Repository Commits
Fake Game 1: Pearl Land Metaverse
Twitter: https://twitter.com/VersePearl (1551260596137381888) Linktree: https://linktr[.]ee/pearlmetaverse Gitbook: https://pearl-land.gitbook[.]io/pearl-land-metaverse/ OpenSea collection: https://opensea.io/collection/pearlmetaverse Discord: https://discord[.]gg/pearlmetaverse Medium: https://medium.com/@pearl-metaverse Pearl Land (PLM) ERC20 token: 0x49f7943ae6cb847a3e6301ed8bc5eafff30e90d1 Token deployer: 0xeee08425a84e4c42e6392cbd23eeb40520243fdf Domain: pearlmetaverse[.]io The real game is called Rune Teller by CODELIFE Studio on Steam.
Fake Game 2: Destruction
Twitter: https://twitter.com/DestructionWeb3 (1552873215667871744 - also known as MetaDestruction and DestructionNFTs) Linktree: https://linktr[.]ee/playdestruction Gitbook: https://destruction.gitbook[.]io/destruction/welcome-to-destruction/intoducing Hyperspace collection: https://hyperspace[.]xyz/collection/playdestruction Discord: https://discord[.]gg/playdestruction Medium: https://medium.com/@DestructionGame Domain: playdestruction[.]com h/t to Nourek for the heads up The real game is called Dissolution by Garage Studios on Steam.
Fake Game 3: Evolion
Twitter: https://twitter.com/EvolionLand (1626416120017166337 - also known as EvolionGame) Linktree: https://linktr[.]ee/evolion Gitbook: https://evolion.gitbook[.]io Discord: https://discord[.]gg/ZQN3SeHUda Medium: https://medium[.]com/@EVOLION Domains: evolionland[.]com and evoliongame[.]com h/t to Plum for the heads up The real game is called Avania (https://www.avania.io/)
Fake Game 4: Olymp Of Reptiles
Twitter: https://twitter.com/olympreptiles (1513696035914358785) Linktree: https://linktr[.]ee/olympofreptiles Gitbook: https://wp.olympreptiles[.]com/olymp-of-reptiles-whitepaper/introduction/olymp-of-reptiles Discord: https://discord[.]com/invite/olympofreptiles Domain: olympreptiles[.]com The real game is called Goldmand (https://goldmand.io/)
Fake Game 5: Brawlearth / SaintLegend
Twitter: https://twitter.com/brawlearth (2889955382) and https://twitter.com/PlaySaintLegend Linktree: https://brawlearth[.]com/linktree/ Gitbook: https://brawlearth.gitbook[.]io/brawl-earth/ and https://saint-legend.gitbook[.]io/saint-legend/ Medium: https://medium.com/@BrawlEarth and https://medium.com/@SaintLegend Domain: brawlearth[.]com / saint-legend[.]com The real game is called Tearing Spaces (https://www.tearingspaces.com/)
Fake Game 6: DawnLand / Dawn Land Metaworld
Twitter: https://twitter.com/DawnLandWorld (1617051516040249345 - also known as Meta_Dawn and DawnMetaWorld) Linktree: https://linktr[.]ee/dawnmeta Link3: https://link3[.]to/SOCYNBQI Gitbook: https://dawn-land-metaworld.gitbook[.]io/dawn-land-metaworld/info/team OpenSea collection: https://opensea.io/collection/dawn-metaworld-land Rarible collection: https://rarible.com/dawnmetaworld/items Discord: https://discord[.]gg/dawnmetaworld Medium: https://medium[.]com/@dawnlandmetaworld Coin Dawn Land (CDL) ERC20 token: 0x9B8bAE5410C40f2cF8e9A7EF32dC77ef68bB6A9F Token deployer: 0xD75e5Ad39E921B9429a9FCdA2289B3B14b856577 Domain: dawnmeta[.]io The real game is called Saleblazers by Airstrafe Interactive on Steam.
Fake Game 7: WildWorld
Twitter: https://twitter.com/WildmenWorld (616871862) Linktree: https://linktr[.]ee/Wildmenworld Gitbook: https://wild-world.gitbook[.]io/wild-world/ OpenSea collection: https://opensea.io/collection/crypto-wildman MagicEden collection: https://magiceden[.]io/marketplace/9aWKFk2f56Uc5x3DceYFoxcJPP7ZiHyHHPzjgqgFL6hq Discord: https://discord[.]gg/wildworld Medium: https://wildmenworld.medium[.]com Fandom: https://wildmenworld.fandom[.]com YouTube: https://www.youtube.com/@WildmenWorld Domain: wild-world[.]io The real game is called CaveWorld (https://www.caveworld.com/)
Fake Game 8: RyzeX
Twitter: https://twitter.com/RyzeX_web3 (1516416630213181441) Linktree: https://linktr[.]ee/ryzex_web3 Gitbook: https://ryzex.gitbook[.]io/ryzex[.]io/ Discord: https://discord[.]gg/ryzex-web3 Medium: https://medium[.]com/@ryzex_web3 Telegram: https://t[.]me/RyzeX_web3 OpenSea profile: https://opensea[.]io/ryzex_web3 OpenSea collection: https://opensea[.]io/collection/ryzex-web3-collection Domain: ryzex[.]io The real game is called Drunk Robots (https://drunk-robots.com/)
Fake Game 9: Guardians of the Throne
Twitter: https://twitter.com/guardiansmeta (1580771215173914624 - also known as GOTT_P2E and Play_Guardians) Linktree: https://linktr[.]ee/gott_p2e Gitbook: https://guardiansp2e.gitbook[.]io/guardians-of-the-throne/ Discord: https://discord[.]gg/pp8ty4xMS4 Domains: guardiansp2e[.]com guardiansrpg[.]com guardians-p2e[.]com and guardians-game[.]com The real game is only published on the Google Play store by ELIGHT GAME.
Last updated