Careto malware: How to remove Careto from Mac?

First discovered in 2014, Careto malware is sophisticated, stealthy, and difficult to find and remove. According to recent reports, it hasn't vanished either. Attacks apparently ceased in 2014, although perhaps fewer were reported in recent years. Now it is back and has infected at least 1,000 Macs, PCs, and Linux computers in 31 countries.

Careto is Spanish for a mask, giving this malware another name - The Mask is believed to originate from Spanish speaking countries. Many of the original victims of Careto malware are in Spain, Morocco, and Gibraltar. Targets have included government agencies, diplomats, embassy workers, gas and oil companies, scientific research organizations, and political activists, leading security experts to assume this is the work of a hostile country.

Careto virus on Mac

What is the Careto malware?

It is a highly sophisticated and stealthy virus, with numerous backdoors into the Mac operating system. It is equally capable of exploiting backdoors and weaknesses in iOS, Android, and Windows devices.

Careto infects a Mac through targeted phishing emails. When a victim clicks on a link, it takes them to a seemingly legitimate website that contains the virus payload, usually hidden within exploitable software on the website, such as an Adobe Flash Player exploit. It infects computers through social engineering in emails and coercion in an attempt to encourage the target to download a JavaUpdate.jar file or install a Chrome browser plugin.

One reason this malware is able to circumvent email security systems and scans is that it comes with a digital signature. It came with a valid signature from a Bulgarian IT company, TecSystem Ltd. Although the company's legitimacy is unknown, the signatures were valid between 2011 and 2016 - allowing the emails to circumvent most security systems, including government firewalls - until Verisign finally revoked them.

Here is the list of file extensions that the Careto (Mask) virus is able to collect:

Once your Mac is infected, the payload includes 39 files that emerge from two seemingly simple installers. Within these files is a complex backdoor program known as SGH. It took Kaspersky considerable time and effort to reverse engineer the virus and create ways to reduce its effectiveness and remove it from infected computers.

Further analysis by Kaspersky found that Careto can “data and information theft on a large scale.” Careto can steal almost anything - keystrokes, passwords, files, encryption keys, SSH keys, and VPN settings - and send the data back to its command-and-control servers. Its stealth capabilities adapt, download new malware, and provide an unsafe backdoor to an infected Mac until removed.

Careto uses encryption to mask the data it sends back to its servers. The encryption is sufficiently sophisticated that it took Kaspersky weeks of work to uncover and unravel the data packets it absorbs from victims and transmits. Alarmingly, cybersecurity experts note that the “data-gathering capabilities exceed pretty much everything else we have seen to date.”

If you’ve been targeted, you may not even realize that your data is being stolen. It leaves no tell-tale signs of infection; it doesn't shut your Mac down or make your Mac behave any differently than it normally would. Making this as dangerous as it is stealthy and sophisticated. Now this means that the main challenge is removing the Careto virus.

How to remove Careto from Mac MacBook

How to remove the Careto virus?

As we’ve noted, it is stealthy and knows how to hide.

Attempting to find it manually may prove difficult, if not impossible, unless you happen to be a cybersecurity expert. The payload leaves on a Mac 39 files, which are distributed across an operating system. Hidden and disguised, Careto files aren't easy to uncover since they are labeled differently.

To find where they're hiding, a Mac power user would need to spend some time searching through applications and folders that look out of place, then remove them. Restarting your Mac after doing this should help, but you can’t know for certain that it is gone. Kaspersky found that attempting a manual removal is, unfortunately, no guarantee of success and you risk deleting something your Mac needs to operate.

Instead of the manual removal, you can download CleanMyMac X (a link to get a free version of the app).

remove carete virus completely

Note: a free version of this app allows you to scan your Mac for free for the Careto virus.

The latest rendition of this tool is known to quite effectively remove viruses that are specific to macOS. You shouldn't confuse CleanMyMac with other supposed "Mac cleaners" because this one is actually notarized by Apple as a safe to use the tool.

Once you run CleanMyMac's Malware Removal tool, you can reduce your Mac from Careto. It takes minutes instead of hours to find and remove all the pieces of this nasty virus. CleanMyMac X will scan for Careto. Once the scan is complete, it will show you what is lurking inside your Mac. Click Remove, then it will safely remove Careto.

Careto malware was sneaky and clever enough that it was able to get through security systems and firewalls for five years thanks to emails that came with an apparently legitimate security system. Once infected, a back-door is dropped into your Mac that can steal information and circumvent your control. Removing it can be a challenge, but it is possible with the right tools or enough time.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.