Security News 'Machete' Continues to Spy on Spanish-Speaking Countries

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

Full Article. 'Machete' Continues to Spy on Spanish-Speaking Countries | SecurityWeek.Com
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
We have in front of criminals who have extensive experience, are able to operate with precision, by adopting techniques of remote access to get their hands on the stored data of the victims.
Behind every attack there is a attacker and he is the strong ring of the chain.
 

larry goes to church

Level 3
Verified
Mar 10, 2017
103
I'm curious what the technique they used for exfiling data to USB stick was.

Was the plan to have the USB sticks plugged into a home PC and then compromise their home network as well so they can exfil the data undetected?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top