How to remove RShell backdoor-type malware from the operating system
Written by Tomas Meskauskas on
What is RShell?
RShell refers to a backdoor-type malware targeting Mac Operating Systems (macOS). Malicious software within this classification can execute commands and is typically used to collect data and infect systems with additional malware.
RShell is infiltrated into macOS by trojanized the Chinese-language MìMì (MiMi, Mi) Electron messenger app. Research done by SEKOIA strongly suggests that RShell infections are linked to the APT27 (aka Iron Tiger, Luckymouse, Emissary Panda, Bronze Union, and TG-3390) cyber-espionage group, which primarily focuses its activities in Southeast Asia.
RShell malware overview
RShell collects system information (e.g., device name, IP address/ geolocation, etc.) and sends it to the Command and Control (C&C) server. It can also execute commands received from the C&C server, including the download/execution of malicious files.
Generally, backdoor malware can infiltrate various trojans, ransomware, cryptocurrency miners, and other malicious programs into systems. Since RShell is linked to a cyber-espionage group, the malicious injections are likely to focus on spying and data stealing.
RShell is introduced into Mac operating systems by the MìMì messaging application. It is a cross-platform messenger available for macOS, Windows, Android, and iOS.
While SEKOIA researchers discovered that MìMì 2.3.0 (released on the 26th of May, 2022) was the first trojanized version targeting macOS, they were unable to determine whether the app or its developers (Xiamen Baiquan Information Technology Co. Ltd.) were legitimate. In other words, it is unclear whether the app was intended to be used maliciously from the beginning or whether it was repurposed. However, TrendMicro researchers found different versions of MìMì carrying payloads for Linux and Windows OSes.
As mentioned in the introduction, SEKOIA found evidence linking RShell to the APT27 cyber-espionage group but could not determine the exact purpose of this malicious program. Their researchers speculated that due to MìMì's minimal popularity in China - it could be a targeted domestic surveillance tool. Trojanized MìMì versions might be proliferated under the guise of a messenger capable of bypassing China's censorship laws.
APT27 being behind RShell is entirely believable since it would not be the first instance of this group using malicious apps like MìMì. However, if APT27 is behind this malware - it would be the first time they have targeted Mac operating systems.
To summarize, RShell may cause multiple system infections, severe privacy issues, financial losses, and even lead to identity theft. If you suspect that your device is infected with RShell (or other malware), we strongly recommend using an anti-virus to remove it without delay.
| Name | RShell malware |
| Threat Type | Mac malware, Mac virus, Trojan, password-stealing virus, spyware. |
| Detection Names | AhnLab-V3 (Backdoor/OSX.Agent.253664), ALYac (Backdoor.OSX.Agent), Kaspersky (HEUR:Backdoor.OSX.Agent.gen), Lionic (Trojan.OSX.Agent.m!c), Symantec (OSX.Trojan.Gen), Full List (VirusTotal) |
| Symptoms | Trojans-type malware is designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Distribution methods | Trojanized MìMì messenger apps, infected email attachments, fake Adobe Flash Player installers, malicious online advertisements, social engineering, software 'cracks'. |
| Damage | Data and financial losses, loss of access to personal accounts, problems with browsing safety, online privacy issues. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Backdoor-type malware examples
We have analyzed countless Mac-specific malicious programs; macOS.Macma, OceanLotus, and Mac.BackDoor.Siggen.20 are just a few examples of backdoor-types targeting macOS.
Since this malware is capable of injecting additional malicious content into systems, the threats posed by the resulting infections are especially broad. However, regardless of how malware operates - its presence on a system endangers device/user safety. Hence, all threats must be eliminated immediately upon detection.
How did RShell infiltrate my computer?
RShell is proliferated via trojanized MìMì messaging applications, which are available on the app's official website. However, how the webpage (and its potential mirror sites) are promoted can vary. It is just as likely that other methods are used to spread RShell/ malicious MìMì apps.
Generally, malware is spread by employing phishing and social engineering tactics. Malicious software is usually disguised as or bundled with ordinary content.
The most commonly used distribution techniques include: drive-by (stealthy/deceptive) downloads, malicious attachments/links in spam emails and messages, online scams, dubious download channels (e.g., unofficial and freeware websites, Peer-to-Peer sharing networks, etc.), illegal program activation tools ("cracks"), and fake updates.
How to avoid installation of malware?
We strongly recommend researching software and downloading only from official and verified channels. Additionally, all programs must be activated and updated using genuine functions/tools, as illegal activation ("cracking") tools and third-party updates can contain malware.
Another recommendation is to be vigilant when browsing since fraudulent and malicious content typically appears legitimate. We advise against opening the attachments and links found in suspect/irrelevant emails and messages, since that may result in a system infection.
We must emphasize the importance of having a dependable anti-virus installed and kept updated. Security software must be used to perform regular system scans and to remove threats and issues. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate all threats.
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "RShell"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
My computer is infected with RShell malware, should I format my storage device to get rid of it?
No, RShell's removal does not necessitate formatting.
What are the biggest issues that RShell malware can cause?
The dangers posed by a malicious program depend on its abilities and the cyber criminals' aims. RShell can inject additional malware into systems; hence, these infections pose particularly varied threats. In general, malware infections can lead to decreased system performance or failure, data loss, severe privacy issues, hardware damage, financial losses, and identity theft.
What is the purpose of RShell malware?
Usually, malicious software is used to generate revenue. However, cyber criminals may also use malware to amuse themselves, carry out personal vendettas, disrupt processes (e.g., websites, services, companies, etc.), and even launch politically/geopolitically motivated attacks. It is noteworthy that RShell has been linked to the APT27 (aka Iron Tiger, Luckymouse, Emissary Panda, Bronze Union, and TG-3390) cyber-espionage group.
How did RShell malware infiltrate my computer?
RShell is spread through trojanized MìMì messenger apps. However, it might be proliferated using other methods as well.
The most commonly used malware distribution techniques include: drive-by downloads, online scams, spam emails and messages, dubious download channels (e.g., freeware and third-party websites, Peer-to-Peer sharing networks, etc.), fake updates, and illegal software activation tools ("cracks").
Furthermore, some malicious programs are capable of self-spreading via remote servers and removable storage devices (e.g., external hard drives, USB flash drives, etc.).
Will Combo Cleaner protect me from malware?
Yes, Combo Cleaner can detect and eliminate nearly all known malware infections. It has to be stressed that sophisticated malicious programs typically hide deep within systems - therefore, running a complete system scan is paramount.
Outstanding!
▼ Show Discussion