Skip to main content
All CollectionsCrypto BasicsSecurity 101
Web3 malware alert - "AppleJeus"
Web3 malware alert - "AppleJeus"

Understanding the "AppleJeus" malware and its implications for 1inch users

Matt avatar
Written by Matt
Updated over 6 months ago

Many iterations of AppleJeus malware have been released since its inception back in 2018. In this article, we'll dive into several of the most common variants.

Initially, bad actors exploited seemingly legit DeFi trading platforms to spread AppleJeus. However, they've now expanded their arsenal with other infiltration methods like phishing, social networking, and social engineering tactics to bait users into downloading the malware.


TL;DR

AppleJeus malware is part of a sophisticated attack, as reported by the Cybersecurity and Infrastructure Security Agency (CISA). This malware is designed to infiltrate users' systems and steal their digital assets. For users of 1inch, it is critical to understand the mechanics of this malware and take necessary precautions to protect your digital assets when using the platform and protocols.

Basic Mechanics

Attackers using AppleJeus often pose as legitimate companies or developers, enticing users to download seemingly genuine software that contains hidden malicious payloads. Once installed, the malware establishes a backdoor into the victim's system, allowing the attacker to gain unauthorized access, gather sensitive information, and potentially steal digital assets. In every version of this attack, each website domain had a valid Sectigo SSL certificate with a weak security verification level.

How to minimize risk

To safeguard your tokens and avoid falling victim to AppleJeus malware, it is crucial to implement robust operational security (OpSec). Use caution when downloading and installing software, especially from unknown sources or unverified developers. Ensure that your operating system, antivirus, and other software are up to date and regularly scan your devices for potential threats. Enable two-factor authentication (2FA) wherever possible, and use strong, unique passcodes for your accounts, including your 1inch DeFi Wallet.

1inch is committed to maintaining a secure environment for its users by continually updating and enhancing security, along with heavy auditing of its protocols. As a user, it is essential to stay informed about potential cyber threats and follow the security recommendations provided by trusted sources.


Several types of AppleJeus

AppleJeus: Celas Trade Pro

In August 2018, a trojan Web3 trading application called "Celas Trade Pro" was discovered. This malicious program was a modified version of the legitimate Q.T. Bitcoin Trader app, and its infection led to the victim's system being compromised by a Remote Administration Tool (RAT) called "FALLCHILL". The U.S. Government attributed FALLCHILL to a North Korean hacker group. The malware infects systems through phishing emails that recommend the Celas Trade Pro app and directs victims to download it from the associated website.

AppleJeus: JMT Trading

In October 2019, a new version of the AppleJeus malware called "JMT Trading" was uncovered. Similar to the previous Celas Trade Pro, JMT Trading was distributed as a cryptocurrency trading app through a seemingly legitimate company website. The website had a "Download from GitHub" button, which linked to JMT Trading's GitHub page, where Windows and macOS X versions of the app were available. The associated domain had a valid Sectigo SSL certificate with a weak security verification level, not requiring validation of the owner's identity or the business's existence. The current SSL certificate was issued by Let's Encrypt.

AppleJeus: Union Crypto

In December 2019, yet another version called "Union Crypto" was discovered. This malware was also distributed as a Web3 trading application through a seemingly legitimate company website. The website, which is no longer available, offered a macOS X version of UnionCryptoTrader for download. The Windows version was reportedly found in a "Telegram Downloads" folder on an unnamed victim's device, suggesting it may have been downloaded via Telegram.

AppleJeus Version 7: Ants2Whale

In late 2020, a newer version of AppleJeus called "Ants2Whale" was identified. The seemingly legitimate cryptocurrency company and application were hosted on the 'Ants2Whale' website. The site contained spelling and grammar mistakes, indicating the creator might not be a native English speaker. To download Ants2Whale, users had to contact the administrator for their "premium package."

Questions, comments, or concerns about becoming a victim of malware? Feel free to reach out in the live support chat!

Did this answer your question?