Machete: Her researchers ESET have discovered an ongoing cyber espionage campaign attacking high-profile organizations in Latin America. More than half of the compromised computers belong to the Venezuelan military. However, attacks have also been reported in other institutions, such as the police, educational institutions and foreign affairs agencies.
The majority (75%) of the attacks took place in Venezuela, while 16% in Ecuador, targeting military forces. The invaders behind it Machete they stole every week gigabytes confidential documents. The campaign, which is still very active, is taking place at a time when there are tensions, both regionally and internationally, between the United States and Venezuela.
Her researchers ESET were watching a new version of the malware Machete which first appeared a year ago. In just three months, between March and May 2019, the ESET noticed that more than 50 compromised computers were communicating with servers Command & Control belonging to cyber spies. Intruders regularly change their malware, infrastructure, and campaigns spear Phishing.
"Cybercriminals operating Machete use effective techniques spear Phishing. Having long experience in attacks in Latin American countries, they have managed to gather information improving their tactics over the years. "They know their goals, how they can be integrated into regular communications, and what documents are worth stealing," said ESET Researcher Matias Porolli.
"The intruders export specialized types of files used by S softwaresystem Geographic Information (GIS). They are especially interested in files with navigation paths and locating locations with MGRS coordinate grids ", he adds.
His cybercriminals Machete send very specific emails directly to the victims, modifying them each time. To deceive unsuspecting targets, they use authentic previously stolen documents, such as secret military documents, including "Radiograms"Documents used for communication within the military in Venezuela. With knowledge of military terminology and protocol, intruders use these documents to compose very convincing phishing messages.
The attack starts with an auto-export file containing a document as "bait" and continues with the download and installation backdoor cuts. It backdoor cuts consists of an espionage program that runs indefinitely, copies and encrypts documents, gets screenshots and records keylogs. Every 30 minutes a program responsible for installing other programs runs, while every ten minutes there is communication with the intruders in order to send the stolen data to the server Command & Control. All programs misuse the word "Google»In their file names to hide their malicious intent.
"The activation of his team Machete is stronger than ever and our research has shown that it is able to evolve fairly quickly, sometimes within a few weeks. From different elements we have seen in its code Machete "Assessing its infrastructure, we conclude that it is a Spanish-speaking group", explains Matias Porolli.
Its individual programs Machete according to her research ESET
More details is available on article «Sharpening the Machete» as and on relevant white paperMachete just got sharper: Venezuela's military under attack» on WeLiveSecurity.com.
______________
- Beware of emails asking you to "confirm your deletion"
- Check Point World Threat List June 2019
- Microsoft VBScript disables it by default