Researchers have identified a cyber-espionage campaign focused on Spanish-speaking countries.
Researchers at Kaspersky Lab have dubbed the attack ‘Machete.’ It is believed the attack campaign started in 2010 and was renewed in 2012 with an improved infrastructure.
“Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware,” Kaspersky Lab’s Global Research and Analysis Team explained in a blog post. “While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling “Machete”.”
The malware at the center of attacks is capable of a number of actions, including logging keystrokes, capturing audio and screenshots, taking photos from the victim’s webcam and capturing geo-location data. The malware can also copy files to a USB device if inserted, and can also copy files to a remote server. In addition, it can hijack the clipboard and capture information from the target machine.
According to Kaspersky Lab, most of the malware victims are located in Ecuador, Colombia, Peru, Venezuela, Cuba, Spain and Russia. In some cases, such as with Russia, the target appears to be an embassy from one of the other countries mentioned. Outside embassies, other targets include intelligence services, military and government institutions.
“The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake blog website,” the researchers noted. “We have found no evidence of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking. During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened.”
The PowerPoint attachments are in reality Nullsoft Installer self-extracting archives with compilation dates going back to 2008.
“A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware,” according to Kaspersky Lab. “This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and UNIX victims as well. In addition to Windows components, we also found a mobile (Android) component.”
The following domains have been linked to the campaign:
java.serveblog.net
agaliarept.com
frejabe.com
grannegral.com
plushbr.com
xmailliwx.com
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)
The malware associated with the attacks is detected by Kaspersky Lab as Trojan-Spy.Python.Ragua.
“The ‘Machete’ discovery shows there are many regional players in the world of targeted attacks,” according to the researchers. “Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.”
