Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Machete’ Continues to Spy on Spanish-Speaking Countries

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

The threat group behind the cyber espionage campaign dubbed “Machete” continues to target entities in Spanish-speaking countries, endpoint security firm Cylance reported on Wednesday.

Machete was first analyzed by Kaspersky Lab back in 2014. At the time, the company said the operation had been active since 2010, with some improvements made in 2012.

The list of targeted entities included intelligence services, embassies, government institutions and military organizations. A majority of the victims at the time were located in Venezuela, Ecuador and Colombia, but some compromised systems were also identified in Russia (embassies), Peru, Cuba, Brazil, the U.S., Spain, Sweden, and China.

The attackers had used spear-phishing emails and fake blogs to deliver malware capable of logging keystrokes, capturing audio from the microphone, taking screenshots and photos via the webcam, collecting geolocation data, and exfiltrating files to a remote server or a special USB device.

Cylance researchers have also analyzed the campaign and identified over 300 unique victims in the past month. According to the security firm, the attackers managed to steal more than 100 Gb of data from organizations.

A majority of the victims identified by Cylance were located in Ecuador, Venezuela, Peru, Argentina and Colombia, but some targets were also found in Korea, the U.S., the Dominican Republic, Bolivia, Cuba, Guatemala, Nicaragua, Mexico, the U.K., Canada, Germany, Russia and Ukraine.

The types of organizations targeted are mostly the same as reported by Kaspersky, but Cylance also mentioned telecommunications and power companies.

Kaspersky noted in its 2014 report that the attacker appeared to be a native Spanish speaker. Cylance pointed out that it did not see any victims in Brazil, and that the most heavily targeted countries shared a land border with Brazil. This could suggest that the attacks have been launched from Brazil, but it contradicts Kaspersky’s initial finding as Brazilians speak Portuguese.

Advertisement. Scroll to continue reading.

According to Cylance, the threat actor behind Machete managed to keep its operations alive by moving to a new command and control (C&C) infrastructure and making minor changes to its malware to evade signature-based detection.

“El Machete has continued largely unimpeded in their espionage activities for the past several years, despite the abundance of publicly available indicators. Many of these indicators should have allowed defenders to reliably identify this threat, but the majority of antivirus (AV) solutions continue to have very low detection rates across current samples,” said Cylance researchers.

As for Machete victims, experts pointed out that many of the targeted countries are known customers of companies such as FinFisher and Hacking Team, which suggests that they have yet to develop their own cyber capabilities.

Related: “Packrat” Threat Group Targets Latin America

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...