Security experts have uncovered a four year-old targeted attack campaign launched by Spanish speakers against various intelligence, military and government organizations in South American countries.
"Machete" started life in 2010 but was updated with “improved infrastructure” in 2012, according to Kaspersky Lab.
The malware is designed to steal files and capture audio from the victim machine as well as log keystrokes, capture screenshots and even take photos from the web cam.
It will also copy files to a remote server or USB device and can also hijjack the clipboard and capture information from the target machine.
It’s typically distributed via a classic spearphishing email – for example in a malicious attachment disguised as a PowerPoint presentation – or a fake blog site.
The PowerPoint files include “Hot brazilian XXX.rar” and “El arte de la guerra.rar” (The Art of War).
“A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding,” said Kaspersky’s Global Research and Analysis Team in a blog post.
“There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.”
The language of the attackers is Spanish, judging by the server side code Kaspersky Lab analysed, while the victims were all Spanish speakers too.
Most are located in Venezuela (372), Ecuador (282) and Colombia (85), with a handful in Brazil, Cuba and Peru. There were 45 victims in Russia, although Kaspersky Lab claimed that in this country’s case “the target appears to be an embassy from one of the countries of this list”.
Other victim organizations apparently included intelligence agencies, military, and government agencies.
“The ‘Machete’ discovery shows there are many regional players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world,” Kaspersky Lab concluded.
“We can be sure there are other parallel targeted attacks running now in Latin America and other regions.