ESET: Machete cyber espionage campaign is targeting Venezuela, Ecuador, Colombia and Nicaragua. Especially military but not only
Machete cyber espionage campaign is targeting Venezuela, Ecuador, Colombia and Nicaragua. It has been unveiled by ESET cyber security experts. The group behind these cyber attacks has stolen gigabytes of confidential documents, mostly from military organizations. It is still very active, regularly introducing changes to its malware, infrastructure and spear phishing campaigns. From the end of March up until the end of May 2019, there were more than 50 victimized computers actively communicating with the C&C server. This amounts to gigabytes of data being uploaded every week. More than half of the compromised computers were in the Venezuelan military forces, whereas the others were related to education, police, and foreign affairs sectors. This extends to other countries in Latin America, with the Ecuadorean military being another organization highly targeted with the Machete malware.
The cyber security experts: The malware operators use spear phishing campaigns with real old documents as a lure
According to the cyber security experts, Machete’s operators use effective spear phishing techniques. Their long run of attacks, focused on Latin American countries, has allowed them to collect intelligence and refine their tactics over the years. They know their targets, how to blend into regular communications, and which documents are of the most value to steal. Not only does Machete exfiltrate common office suite documents, but also specialized file types used by geographic information systems (GIS) software. The group is interested in files that describe navigation routes and positioning using military grids. The cyber espionage group sends very specific emails directly to its victims, and these change from target to target. These emails contain either a link to, or an attachment of, a compressed self-extracting archive that runs the malware and opens a document that serves as a decoy (a real one previously stolen).
Machete is very active and introduced several changes to its malware since April 2018. Some elements lead to think that this is a Spanish-speaking group and maybe with a presence in one of the targeted countries
The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018. Previous versions were described by Kaspersky in 2014 and Cylance in 2017. The cyber espionage is operating more strongly than ever, even after researchers have published technical descriptions and indicators of compromise for this malware. ESET has been tracking this threat for months and has observed several changes, sometimes within weeks. At the time of this publication, the latest change introduced six backdoor components, which are no longer py2exe executables. Python scripts for malicious components, an original executable for Python 2.7, and all libraries used are packed into a self-extracting file. Some elements lead to think that this is a Spanish-speaking group. Furthermore, the presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that operators could have a presence in one of the targeted countries.