The SPEAR™ Team has once again jumped back into tracking and monitoring threats following public disclosure, to discover what happens next. What we’ve found is that the current barrier to bypass existing defense solutions is so low that attackers need only make very minor changes to continue to use publicly disclosed malware effectively. El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.
SPEAR was able to identify just over three hundred unique victims over the past month, as well as over 100GB worth of data that was exfiltrated and stored on one of the C2 servers. The bulk of the victims were predominantly based out of Ecuador, Venezuela, Peru, Argentina, and Columbia; however, other victims were identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and Ukraine. Targets included a wide array of high-profile entities, including intelligence services, military, utility providers (telecommunications and power), embassies, and government institutions.
Perhaps what’s most interesting in the current dataset is that the majority of countries that were most heavily targeted share a land border with Brazil. However, SPEAR did not identify any Brazilian victims, contrary to Kaspersky’s initial findings.
Phishing emails continued to use links to external ZIP or RAR archives, which ultimately contained an executable with the extension SCR. All of the executables SPEAR identified contained either an executable generated by the open source Nullsoft Scriptable Install System (https://sourceforge.net/projects/nsis/) or a self-extracting RAR executable (SFX). NSIS provides a surprisingly easy way for attackers to obfuscate malicious code via multiple common compression routines like ZLib, BZip2, LZMA. The attackers also made extensive use of Hostinger’s cheap web hosting services to deliver initial payloads. SPEAR identified the following URLs were used in phishing attempts:
SPEAR observed the following filenames were used for malicious payloads delivered via social engineering techniques:
Articulo sobre funcionarias de Nicaragua docx.scr
Citacion Judicial expediente 10388-17 Oficio 35467pdf.scr
Informe Derechos Humanos en Nicaragua docx.scr
Jungmann verifica o funcionamento do SISFRON, em Dourados (MS).docx.scr
LISTA DEL RADG N° 0931208.scr
Nicaragua denuncia ante la CIJ las.scr
PARTE ESPECIAL COMANDANCIA GENERAL DE LA AVIACIÓN 20SEP15.scr
The group still preferred to use PY2EXE to encode Python scripts to executables and relied on multiple compiled scripts to perform a number of different functions, including screen capture, video capture, audio capture, file enumeration, keystroke logging, and data exfiltration. As far as SPEAR could tell, all scripts were designed to be executed using Python v2.7. No other versions of the interpreter were identified. The group relied heavily on TLS-encrypted FTP using Python’s native ftplib library to transfer data out of target environments. SPEAR only observed this activity over the usual TCP port 21. The samples would also test connectivity to the C2 via HTTP requests using Python’s urllib library. An example request is shown below.
GET / HTTP/1.0
Figure 1: Sample Connectivity Request
The scripts themselves could be easily extracted and decompiled out of the binaries using uncompyle. The decompiled scripts employed some visual obfuscation techniques by naming variables as combinations of the characters ‘o’, ‘O’, and ‘0’ to hinder analysis. One of the external modules was designed to find, encrypt, and upload files from fixed and removable drives using a predefined list of extensions; perhaps most interesting in this list was the inclusion of several graphical information systems file formats (GIS), as well as PGP/ GPG files and private key rings. In-depth analysis of the scripts showed the group employed AES in CBC mode using a predefined static key to encrypt files before uploading them to the C2 server. Several simple obfuscation measures, including various XOR encoding schemes, were employed by the malware to obscure configuration files, which was somewhat surprising given the use of stronger encryption used in exfiltration of important data.
The attackers appeared to prefer to use free dynamic DNS domains that provided No-IP or Command and Control (C2). SPEAR discovered the following domains and IP addresses were used continuously over the past two years:
The domain ‘jristr.hopto[dot]org’ shared a direct link to past El Machete activity via the IP address ‘126.96.36.199’, which was also previously used by ‘java.serveblog[dot]net’.
SPEAR found that El Machete relied on two primary means to achieve persistence: scheduled tasks and the startup folder. Scheduled tasks commonly used ‘HD_Audio’, ‘Java_Upda’, or ‘Microsoft_up’ as the task name and generally pointed to one of the executables below:
The path ‘%UserProfile%\Start Menu\Programs\Startup\Java Update.lnk’ was used in one sample in 2015. ‘HD Audio.lnk’ was observed as a possible value in one of the decompiled scripts, however, the Startup Folder technique seems to have been largely abandoned in later samples, perhaps as a result of disclosure.
The group preferred to create their own directories to drop files into, including:
For the sake of brevity, SPEAR has excluded all of the possible file names, but they should be readily accessible via the hashes provided below. The principal droppers were commonly SFX archives and were typically named either ‘jsx.scr’ or ‘RAVBg.scr’. Defenders should be wary of any script interpreters such as ‘python27.dll’ located in unusual directories.
El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples. Compiled scripts are an increasingly complicated area of detection for security companies and will likely continue to be adopted by both skilled and unskilled attackers alike. Scripting languages natively provide an easy means of developing cross platform compatibility for other operating systems like OSX and Linux, however, all of the scripts SPEAR found appeared to be heavily reliant upon Windows APIs to perform critical functions.
El Machete will no doubt continue to be successful across most Latin American countries as they struggle to build up both their offensive and defensive cyber capabilities. Many of the targeted countries were listed as customers in the leaks of both Finfisher and Hacking Team, which suggests they likely have yet to fully mature and develop their own internal cyber capabilities. In any case, whoever is behind El Machete is certainly reaping the rewards of building and deploying their own custom malware.
If you use our endpoint protection product, CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.
Initial Payload With Decoy: