The El Machete espionage campaign is seeing a resurgence, with just over 300 unique victims identified in Latin America over the past month, as well as more than 100GB worth of data that was exfiltrated and stored on a command and control (C2) server.
The Cylance SPEAR Team said in an analysis that targets are high-value, consisting of intelligence services, military, telecommunications and power providers, embassies and government institutions. The bulk of the victims are predominantly based out of Argentina, Colombia, Ecuador, Peru and Venezuela, with other victims in Bolivia, Cuba, the Dominican Republic, Guatemala, Mexico and Nicaragua. Outside of Latin America, other victims have been identified in Canada, England, Germany, Korea, Russia, the Ukraine and the United States.
“Many of the targeted countries were listed as customers in the leaks of both Finfisher and Hacking Team, which suggests they likely have yet to fully mature and develop their own internal cyber capabilities,” Cylance researchers noted.
El Machete has been around since at least 2014, possibly dating back as early as 2012, according to Kaspersky Lab, which originally identified it. While its original iteration showed some Brazilian targets, none exist in the current dataset (although the most heavily affected countries share a land border with Brazil).
Kaspersky reported that the malware is generally distributed via social engineering techniques, which includes spear-phishing emails and infections via web by fake blog websites; and, in keeping with the geographic distribution, the attackers appear to be Spanish-speaking. Originally, spear-phishing mails distributed weaponized PowerPoint presentations that install the malware once opened.
El Machete is a custom malware, heavily reliant upon Windows APIs to perform critical functions. And it continues to evade traditional antivirus protections.
“El Machete has continued largely unimpeded in their espionage activities for the past several years despite the abundance of publicly available indicators,” Cylance researchers said. “Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus solutions continue to have very low detection rates across current samples.”