What is the Blackhole virus and how to remove it from Mac?

There was a time when Macs were supposedly immune from trojans, malware and other infections. But as the Mac market share grew in comparison to Windows, they became an irresistible target for hackers and cybercriminals.

A remote access trojan — RAT — is a type of malware that takes control of your Mac and steals data. Depending on how sophisticated it is they can hide from antivirus software and modify various file and application settings.

Blackhole virus explained

With this virus, anyone with a Mac is lucky that when it came to light it was only running a beta version. At the time of discovery, anyone who’d been infected was sent this message — it appeared as a popup - by the creator:

“Hello I'm the BlackHole Remote Administration Tool. I'm a trojan horse, so I have infected your Mac Computer. I know, most people think that Macs can't be infected, but look, you ARE infected! I have full control over your Computer and I can do everything I want, and you can do nothing to prevent it. So, I’m a very new virus, under Development, so there will be much more functions when I'm finished. But for now, it's okay what I can do. To show you what I can do, I will reboot your Computer after you have clicked the Button right down.”

Although odd, clearly the developer was proud enough of what they created that they wanted to brag about it.

Typically, Blackhole virus enters your Mac by hijacking your User & Groups settings:

Blackhole virus explained

Unlike other trojan viruses — also known as the MusMinim virus — this early admission and the fact it was caught during the beta phase has made it easier for anti-virus companies to come up with a solution. According to Sophos, an information security company, this backdoor trojan “is a very basic variation of darkComet, a well-known Remote Access Trojan (RAT) for Microsoft Windows. The source code for darkComet is freely available online.”

The biggest risk users of infected Mac’s face is that MusMinim or Blackhole prompts people to enter their administration/login password. Once the command-and-control server has this from your Mac, it can collect sensitive data and keep an eye on keystrokes and passwords, able to use it for malicious purposes later.

Blackhole is also known for forcing Macs to shutdown and restart. It can run shell commands and open websites unprompted, or the Mac will unexpectedly go to sleep. Other signs that your Mac is infected include mysterious text files appearing and the creator wanted that there would be more advanced functionality as it develops further.

It is unknown at present how many Mac’s were infected or which countries this RAT has spread to, although it is believed to have originated in the U.S.

Sophos warns that “Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.”

How to remove the Blackhole virus from my Mac?

No one wants to be infected.

Especially when a virus can take remote control of your Mac, thereby creating a vulnerability that could be exploited by other cyber criminals and viruses, such as ransomware and spyware that can record your screen, audio, and even try and extort money from you.

Although this Trojan RAT was spotted early on, it doesn't meant that your Mac may not be infected. If your Mac has ever experienced any of the symptoms mentioned in this article, Blackhole could be behind them.

One way to remove malware - or any kind of virus - is manually. It isn’t the easiest of options, unfortunately. Malware and especially backdoor trojan viruses such as Blackhole are good at hiding. They don't want to be found, so unfortunately they won’t label the files ‘Blackhole RAT.’ Another reason it is difficult to remove a virus manually is they - the same as apps - deposit files all over your Mac. So to find them, you’ve got to work out or find what you are looking for, and then go through every possible application folder, such as Library, Cache, Preferences, Applications, and numerous others.

Once you’ve done that - which can take a while - you should be able to haul everything that shouldn’t be on your Mac - to the trash and hit delete. Then empty the trash. But be careful that you don't delete an application your Mac needs to operate. That is always one of the risks of removing anything manually.

A safer way to remove the Blackhole virus

It is far safer and quicker to download CleanMyMac X (a link to a free edition of the app).

This app is notarized by Apple which means it doesn't contain any malicious components. It's rather a suite of many tools that analyze the health of your macOS. The app will scan your Mac for viruses, trojans and malware that many fake "Mac optimizers" can miss. Once it finds everything that has infected your Mac — with the Malware Removal tool — you can click Remove, deleting Blackhole safely from your Mac. 

This is an example how the app works:

Removing malware files

The Blackhole RAT virus is not something your Mac wants or needs. It can take control of your Mac, create an avenue for other cybercriminals and viruses, and it will take as much sensitive data as it can. Watch out for any unexpected download that asks you to enter your administration/login password; the new version of Blackhole won’t alert users to the fact that they’ve been infected.

With the right scanning and removal tool or a manual search through your Mac, you can remove this trojan.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.