How to remove AppleJeus malware

What kind of malware is AppleJeus?

AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

There is now a new trojanized cryptocurrency trading app called JMT Trader that operates in a similar manner - it installs the AppleJeus backdoor trojan on the victim's computer. JMT Trader can be installed on Windows and MacOS computers.

More about AppleJeus

To promote the JMT Traded application, cyber criminals have created a supposedly 'official' website and Twitter account. People who attempt to download JMT Trader are redirected to GitHub on which the Mac and Windows executables for JMT Trader are stored.

This software is disguised as a legitimate application, which supposedly allows users to trade cryptocurrency on various different platforms. When installed, JMT Trader infects the computer with a backdoor Trojan called AppleJeus, but under the name of CrashReporter.

To launch CrashReporter on each login, JMT Trader creates a scheduled task called JMTCrashReporter. When launched, CrashReporter communicates with a Command & Control server to receive and execute commands.

It can terminate itself, download and execute files from the Command & Control server, and execute shell commands that give cyber criminals control over the infected system. The CrashReporter process runs under an identical name on Windows and MacOS operating systems.

This process is separate from the JMT Trader, and thus runs in the background even if this software is not launched. Additionally, CrashReporter is a daemon, a background process that runs without any visible interface.

Bear in mind that eliminating the JMT Trader application will not remove AppleJeus (CrashReporter) malware, and therefore you should scan the system with a reputable anti-virus/anti-spyware suite (e.g., Combo Cleaner Antivirus for macOS) to eliminate all remnants.

To disguise Celas Trade Pro as a legitimate trading app, cyber criminals created a website and fabricated an entire company. JMT Trader also has a download website and Twitter account, which may seem legitimate. Furthermore, JMT Trader is a clone of legitimate software called QT Bitcoin Trader.

The names (JMT Trader and Celas Trade Pro) appear to be the names of legitimate programs (and companies), and thus people are often tricked into downloading and installing them.

The AppleJeus backdoor Trojan that is installed through these apps could be used to install additional malware (such as ransomware), steal confidential information (passwords, logins of various accounts), take screenshots, and so on.

To avoid data/financial loss, identity theft, problems with privacy, and so on, we recommend that you remove JMT Trader and all files relating to CrashReporter immediately. We have provided locations of the malicious files below.

Threat Summary:

Name	AppleJeus backdoor
Threat Type	Backdoor, Trojan, Mac malware, Mac virus.
Detection Names (JMT Trader installer)	ALYac (Trojan.OSX.Agent.39168L), GData (Generic.Trojan.Agent.UXGSUS), Ikarus (Trojan.Win32.Casdet), Kaspersky (Backdoor.OSX.Agent.s), Full List (VirusTotal)
Detection Names (CrashReporter on Mac)	BitDefender (Trojan.MAC.Agent.DU), DrWeb (Mac.Trojan.Siggen.1), ESET-NOD32 (OSX/NukeSped.B), Kaspersky (HEUR:Backdoor.OSX.Agent.s), Full List (VirusTotal)
Symptoms	Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods	Supposedly official Twitter account and website, fake flash player installers, torrent file downloads, software cracking tools.
Damage	Stolen banking information, passwords, identity theft, victim's computer added to a botnet, installation of additional malware.
Additional Information	This malware targets both Windows and MacOS users. JMT Trader extracts a secondary malicious program (CrashReporter.exe) that operates as a backdoor.
Malware Removal (Mac)	To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner for Mac To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Examples of similar malware

The Internet is full of Trojans. Some examples are Casbaneiro, Bolik, and Kryptik. Typically, these programs are designed to spread other malware. People with computers infected with programs of this type experience data/financial loss, identity theft, or other problems. Tips about how to avoid being tricked into installing malware are provided below.

How did unwanted applications install on my computer?

Cyber criminals proliferate AppleJeus malware through fake cryptocurrency trading software (JMT Trader), which can be downloaded from a supposedly 'official' website or Twitter. These pages lead to Github, on which Windows and MacOS executables are stored.

When downloaded and opened, these executables install JMT Trader and a secondary malicious program (backdoor) called CrashReporter, however, this is not the only way malware is spread. Cyber criminals often use spam campaigns (emails), other untrustworthy software download channels, unofficial software activation tools, and fake updaters.

Cyber criminals proliferate rogue software through spam campaigns by sending emails that contain malicious attachments. The main goal is to trick recipients into opening the attached file. If opened, this infects the system with malware.

Typically, cyber criminals attach Microsoft Office documents, executable files (.exe, and others), archive fies (RAR, ZIP, and so on), and JavaScript files. Another way to proliferate malware is to use untrustworthy download sources.

For example, Peer-to-Peer networks (torrent clients, eMule), freeware download and free file hosting websites, third party downloaders, supposedly official pages (such as the one used to distribute JMT Trader), and so on.

People who download files or programs through tools/channels of this type risk downloading malicious files (typically, they are disguised as harmless, legitimate). When opened, these files install malware. To proliferate malware, cyber criminals often use software 'cracking' tools, which install malicious programs rather than activating paid/licensed software.

Fake software updaters usually infect systems by exploiting bugs/flaws of outdated software, or by installing malicious software rather than updates.

How to avoid installation of unwanted applications

Avoid opening attachments or links that are presented in emails sent from unknown, suspicious email addresses. If a received email seems irrelevant, do not open the included attachment or click the presented link. Download software using direct links and from trustworthy, official websites only.

Avoid using third party downloaders, installers, unofficial web pages, or other untrustworthy sources. These are often used to proliferate malicious software (or other unwanted programs). Installed software should be updated and activated using tools or implemented functions that are provided by official software developers, and not third party tools.

Note that it is illegal to bypass software activation using 'cracking' tools. Finally, use a reputable anti-virus or anti-spyware suite and scan the operating system with it regularly. If your computer is already infected with rogue apps, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Screenshots of JMT Trader application:

List of CrashReporter files:

• /Applications/JMTTrader.app/Contents/CrashReporter (MacOS)
• /Library/JMTTrader/CrashReporter (MacOS)
• %AppData%\JMTTrader\CrashReporter (Windows OS)

Screenshot of JMT Trader installer asking for permission to install additional software:

CrashReporter process running in Activity Monitor:

Update 7 December 2022 - Cybercriminals have been observed using fake cryptocurrency applications to trick users into infecting computers with the AppleJeus malware. They are using bloxholder[.]com site (a non-existing company's website) that hosts a fake app called BloxHolder. This app is AppleJeus malware bundled with the QTBitcoinTrader application.

Screenshot of the page distributing AppleJeus malware masquerading as BloxHolder application:

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

• What is AppleJeus?
• STEP 1. Remove rogue apps and their files and folders from OSX.
• STEP 2. Remove rogue extensions from Safari.
• STEP 3. Remove rogue add-ons from Google Chrome.
• STEP 4. Remove unwanted plug-ins from Mozilla Firefox.

Video showing how to remove adware and browser hijackers from a Mac computer:

Unwanted applications removal:

Remove unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX", "NicePlayer", or other suspicious applications and drag them to the Trash. After removing unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Check for adware generated files in the /Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: /Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the ~/Library/Application Support/ folder:

In the Go to Folder... bar, type: ~/Library/Application Support/

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Check for adware generated files in the ~/Library/LaunchAgents/ folder:

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Check for adware generated files in the /Library/LaunchDaemons/ folder:

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Remove malicious Safari extensions:

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Remove malicious extensions from Google Chrome:

Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Remove malicious extensions from Mozilla Firefox:

Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

• If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

Frequently Asked Questions (FAQ)

My computer is infected with malware, should I format my storage device to get rid of it?

Most malware can be removed without formatting. It can be removed using antivirus software.

What are the biggest issues that malware can cause?

Cybercriminals can use malware to steal identities, money, and online accounts, make fraudulent purchases, inject other malware, and perform other malicious activities.

What is the purpose of AppleJeus malware?

AppleJeus can execute files downloaded from a C2 server and execute shell commands. It can be used to infect computers with other malware, steal sensitive information, and more.

How did AppleJeus infiltrate my computer?

Threat actors distribute AppleJeus via fake cryptocurrency trading software (JMT Trader). This software is promoted on supposedly 'official' websites and Twitter. When an executable file is downloaded and opened, it installs JMT Trader and a backdoor called CrashReporter.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove almost all known malware. In order to remove high-end malware, it is required to run a full system scan since malware of this kind usually hides deep in the system.

▼ Show Discussion