Machete is a cyberespionage toolset developed by a Spanish-speaking group that has been operating since at least 2010. This group is very active and continues to develop new features for its malware, and implement infrastructure changes in 2019. Their long run of attacks, focused in Latin American countries, has allowed them to collect intelligence and refine their tactics over the years. ESET researchers have detected an ongoing, highly targeted campaign, with a majority of the targets being military organizations. Key points :

• In 2019, ESET has seen more than 50 computers compromised by Machete in various Latin American countries, with over 75% of them belonging to Venezuelan government institutions.

• The group behind Machete uses effective spearphishing techniques. They know their targets, how to blend into regular communications, and which documents are of the most value to steal. Not only does Machete exfiltrate common office suite documents, but also specialized file types used by geographic information systems (GIS) that describe geographic data for navigation and positioning purposes.

• Machete has evolved from what was seen in earlier attacks. The main backdoor is still Python-based, but enriched with several new features such as a more resilient C&C communication mechanism, the use of Mozilla Location Service to geolocate compromised computers, and the possibility to exfiltrate data to removable drives when there is physical access to targets.

• The group is very active. ESET has seen cases where stolen documents dated on one particular day were bundled with malware and used on the same day as lures to compromise new victims.

For any inquiries contact : threatintel@eset.com

Photos credits: ESET