macOS is being abused to create malicious software embedded in bogus games, a malware hunter has disclosed. The games are used to lure victims and are blockchain-based.
The fake online gaming project goes by the name “PureLand,” which malware researcher iamdeadlyz said was a new iteration of the previously spotted “Pearl Land Metaverse.”
What iamdeadlyz hadn’t seen before was a version of this particular gaming malware, which steals data off a target machine, running off the macOS system.
“As usual, they distribute RedLine Stealer malware,” the malware hunter said. “Though what caught my interest the most was their macOS build. It's new, so there’s no public intel about this… yet.”
Previously, iamdeadlyz had detected the following bogus gaming platforms used by PureLand as lures: Destruction, Evolion, Olymp of Reptiles, and Brawl Earth.
The researcher added: “Later on, I found similar fake projects named RyzeX, Dawn Land MetaWorld, and WildWorld. An old fake project that I've been monitoring since last year has also followed the same patterns.”
Victims are lured into running malware by cybercriminals or “workers” either by direct messaging them or simply posting an advertisement.
iamdeadlyz said closer inspection of the coding used by the attackers revealed thinly disguised Telegram monikers, including @MonkeyyDrainer.
“It’s a Telegram username,” said iamdeadlyz. “One can also peek at the page's source to see what's happening, this shows the comments in Russian, Dropbox links, and methods to notify the malicious actors.”
iamdeadlyz suspects that @MonkeyyDrainer could be an alternative criminal account to “Monkey Drainer” that was used to drain cryptocurrency wallets — frequently used by legitimate online gamers on the blockchain and often targeted by cyber-thieves. However, the researcher said it could just as easily be a copycat account paying ‘tribute’ to a fellow crook.
The RedLine Stealer malware was first spotted in 2020, according to another researcher LogPoint, which describes it as “a powerful data collection tool, capable of extracting login credentials from a wide range of sources” including web browsers, email apps, and VPNs.
It can collect authentication cookies and card numbers stored in browsers, chat logs, local files, and cryptocurrency wallet databases, as well as target system data such as:
- IP address
- Physical location
- Operating system
- Administrator privileges
- Installed antivirus software
More from Cybernews:
Subscribe to our newsletter