El Machete is a targeted attack campaign that was first publicly disclosed and named by Kaspersky here. The Cylance SPEAR™ Team, whilst tracking and monitoring threats, found that El Machete has continued to operate successfully, predominantly in Latin America, since 2014. SPEAR was able to identify just over three hundred unique victims over the past month as well as over 100GB worth of data that was exfiltrated and stored on a command and control (C2) server.
The bulk of the victims were predominantly based out of Ecuador, Venezuela, Peru, Argentina, and Columbia. Other victims were identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and Ukraine. Targets included a wide array of high-profile entities, including intelligence services, military, utility providers (telecommunications and power), embassies, and government institutions.
Perhaps what’s most interesting in the current dataset is the majority of countries that were most heavily targeted share a land border with Brazil; however, SPEAR did not identify any Brazilian victims, contrary to Kaspersky’s initial findings.
El Machete has continued largely unimpeded in their espionage activities for the past several years despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus solutions continue to have very low detection rates across current samples.
Compiled scripts are an increasingly complicated area of detection for security companies and will likely continue to be adopted by both skilled and unskilled attackers alike. Scripting languages natively provide an easy means of developing cross platform compatibility for other operating systems like OSX and Linux, however, all of the scripts SPEAR found appeared to be heavily reliant upon Windows APIs to perform critical functions.
El Machete will no doubt continue to be successful across most Latin American countries as they struggle to build up both their offensive and defensive cyber capabilities. Many of the targeted countries were listed as customers in the leaks of both Finfisher and Hacking Team, which suggests they likely have yet to fully mature and develop their own internal cyber capabilities. In any case, whoever is behind El Machete is certainly reaping the rewards of building and deploying their own custom malware.
Cylance predicts and prevents threats like El Machete before they cause harm. If you use our endpoint protection product, CylancePROTECT, you are already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI based solution can proactively protect against unknown and emerging threats.