First discovered in 2014, Careto malware is sophisticated, stealthy, and difficult to find and remove. According to recent reports, it hasn’t vanished either. Attacks apparently ceased in 2014, although perhaps fewer were reported in recent years. Now it is back and has infected at least 1,000 Macs, PCs, and Linux computers in 31 countries.

Careto is Spanish for a mask, giving this malware another name — The Mask. It is believed to originate from Spanish-speaking countries. Many of the original victims of Careto malware are in Spain, Morocco, and Gibraltar. Targets have included government agencies, diplomats, embassy workers, gas and oil companies, scientific research organizations, and political activists, leading security experts to assume this is the work of a hostile country.

Careto virus on Mac

What is the Careto malware?

It is a highly sophisticated and stealthy virus with numerous backdoors into the Mac operating system. It is equally capable of exploiting backdoors and weaknesses in iOS, Android, and Windows devices.

Careto infects a Mac through targeted phishing emails. When a victim clicks on a link, it takes them to a seemingly legitimate website that contains the virus payload, usually hidden within exploitable software on the website, such as an Adobe Flash Player exploit. It infects computers through social engineering in emails and coercion in an attempt to encourage the target to download a JavaUpdate.jar file or install a Chrome browser plugin.

One reason this malware is able to circumvent email security systems and scans is that it comes with a digital signature. It came with a valid signature from a Bulgarian IT company, TecSystem Ltd. Although the company’s legitimacy is unknown, the signatures were valid between 2011 and 2016 — allowing the emails to circumvent most security systems, including government firewalls — until Verisign finally revoked them.

Here is the list of file extensions that the Careto (Mask) virus is able to collect:

Careto can steal almost anything — keystrokes, passwords, files, encryption keys, SSH keys, and VPN settings — and send the data back to its command-and-control servers. Its stealth capabilities adapt, download new malware, and provide an unsafe backdoor to an infected Mac until removed.

It then uses sophisticated encryption to mask the data it sends back to its servers. Alarmingly, cybersecurity experts note that the “data-gathering capabilities exceed pretty much everything else we have seen to date.”

If you’ve been targeted, you may not even realize that your data is being stolen. It leaves no tell-tale signs of infection; it doesn’t shut your Mac down or make your Mac behave any differently than it usually would. Making this as dangerous as it is stealthy and sophisticated. Now this means that the main challenge is removing the Careto virus.

How to remove Careto from Mac MacBook

How to remove the Careto virus?

As we’ve noted, it is stealthy and knows how to hide.

Attempting to find it manually may prove difficult, if not impossible, unless you happen to be a cybersecurity expert. The payload leaves on a Mac 39 files distributed across the operating system. Hidden and disguised, Careto files aren’t easy to uncover since they are labeled differently. 

To find where they’re hiding, a Mac power user would need to spend some time searching through applications and folders that look out of place, then remove them. Restarting your Mac after doing this should help.

Unfortunately, manual removal is no guarantee that all malicious files will be gone, and you risk deleting something your Mac needs to operate. Instead of the manual removal, you can download CleanMyMac X (a link to get a free version of the app).

Removing malware files

The latest version of this tool is known to quite effectively remove viruses specific to macOS. You shouldn’t confuse CleanMyMac X with other supposed “Mac cleaners” because this one is notarized by Apple as a safe-to-use tool.

Once you run CleanMyMac’s Malware Removal tool, you can reduce your Mac from Careto. It takes minutes instead of hours to find and remove all the pieces of this nasty virus. CleanMyMac X will scan for Careto. Once the scan is complete, it will show you what is lurking inside your Mac. Click Remove, and then it will safely remove Careto.

Careto malware was sneaky and clever enough that it was able to get through security systems and firewalls for five years, thanks to emails that came with an apparently legitimate security system. Once infected, a back door is dropped into your Mac that can steal information and circumvent your control. Removing it can be challenging, but it is possible with the right tools or enough time.