First discovered in 2014, Careto malware is sophisticated, stealthy and difficult to find and remove. According to recent reports, it hasn't vanished either. Attacks apparently ceased in 2014, although perhaps fewer were reported in recent years. Now it is back and has infected at least 1,000 Macs, PCs and Linux computers in 31 countries.
Careto - which is Spanish for mask, giving this malware another name - The Mask is believed to originate from Spanish speaking countries. Many of the original victims of Careto malware are in Spain, Morocco and Gibraltar. Targets have included government agencies, diplomats, embassy workers, gas and oil companies, scientific research organizations, and political activists, leading security experts to assume this is the work of a hostile country.
What is the Careto malware?
It is a highly sophisticated and stealthy virus, with numerous backdoors into the Mac operating system. It is equally capable of exploiting backdoors and weaknesses in iOS, Android and Windows devices.
Careto infects a Mac through targeted phishing emails. When a victim clicks on a link, it takes them to a seemingly legitimate website that contains the virus payload, usually hidden within exploitable software on the website, such as an Adobe Flash Player exploit. Another way it infects computers is through social engineering in emails and coercion, in an attempt to encourage the target to download a JavaUpdate.jar file or to install a Chrome browser plugin.
One reason this malware is able to circumvent email security systems and scans is that it comes with a digital signature. It came with a valid signature from a Bulgarian IT company, TecSystem Ltd. Although the legitimacy of the company is unknown, the signatures were valid between 2011 and 2016 - allowing the emails to circumvent most security systems, including government firewalls - until they were finally revoked by Verisign.
Here is the list of file extensions that Careto (Mask) virus is able to collect:
Once your Mac is infected, the payload includes 39 files that emerge out of two seemingly simple installers. Within these files is a complex backdoor program known as SGH. It took Kaspersky considerable time and effort to reverse engineer the virus and create ways to reduce its effectiveness and remove it from infected computers.
Further analysis by Kaspersky found that Careto is capable of “data and information theft on a large scale.” Careto can steal almost anything - keystrokes, passwords, files, encryption keys, SSH keys and VPN settings - and send the data back to its command-and-control servers. Due to its stealth capabilities it adapts, downloads new malware and provides an unsafe backdoor to an infected Mac until removed.
Careto uses encryption to mask the data it sends back to its servers. The encryption is sufficiently sophisticated that it took Kaspersky weeks of work to uncover and unravel the data packets it absorbs from victims and transmits. Alarmingly, cyber security experts note that the “data-gathering capabilities exceed pretty much everything else we have seen to date.”
If you’ve been targeted, you may not even realise that your data is being stolen. It leaves no tell-tale signs of infection, it doesn't shut your Mac down or make your Mac behave any differently than it normally would. Making this as dangerous as it is stealthy and sophisticated. Now this means that the main challenge is removing the Careto virus.
How to remove the Careto virus?
As we’ve noted, it is stealthy and knows how to hide.
Attempting to find it manually may prove difficult, if not impossible, unless you happen to be a cyber security expert. The payload it leaves on a Mac contains 39 files, which are distributed across an operating system. Hidden and disguised, Careto files aren't easy to uncover since they are labeled differently.
To find where they're hiding, a Mac power user would need to spend some time searching through applications and folders that look out of place, then remove them. Restarting your Mac after doing this should help, but you can’t know for certain that it is gone. Kaspersky found that attempting a manual removal is unfortunately no guarantee of success and you risk deleting something your Mac needs to operate.
Instead of manual removal, you can download CleanMyMac X (a link to get free version of the app).
Note: a free version of this app allows to scan your Mac for Careto virus for free.
The latest rendition of this tool is known to quite effectively remove viruses that are specific to macOS. You shouldn't confuse CleanMyMac with other supposed "Mac cleaners" because this one is actually notarized by Apple as a safe to use tool.
Once you run CleanMyMac's Malware Removal tool you can to reduce your Mac from Careto. It takes minutes instead of hours to find and remove all the pieces of this nasty virus. CleanMyMac X will scan for Careto. Once the scan is complete, it will show you what is lurking inside your Mac. Click Remove, then it will safely remove Careto.
Careto malware was sneaky and clever enough that for five years it was able to get through secure systems and firewalls thanks to emails that came with an apparently legitimate security system. Once infected, a back-door is dropped into your Mac that can steal information and circumvent your control. Removing it can be a challenge, but with the right tools or enough time, it is possible.