Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Machete’ Continues to Spy on Spanish-Speaking Countries

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

Advertisement. Scroll to continue reading.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

As for Machete victims, experts pointed out that many of the targeted countries are known customers of companies such as FinFisher and Hacking Team, which suggests that they have yet to develop their own cyber capabilities.

Related: “Packrat” Threat Group Targets Latin America

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.