Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Machete’ Cyber Espionage Attacks Target Spanish-Speaking Countries

Researchers have identified a cyber-espionage campaign focused on Spanish-speaking countries.

Researchers at Kaspersky Lab have dubbed the attack ‘Machete.’ It is believed the attack campaign started in 2010 and was renewed in 2012 with an improved infrastructure.

Researchers have identified a cyber-espionage campaign focused on Spanish-speaking countries.

Researchers at Kaspersky Lab have dubbed the attack ‘Machete.’ It is believed the attack campaign started in 2010 and was renewed in 2012 with an improved infrastructure.

“Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware,” Kaspersky Lab’s Global Research and Analysis Team explained in a blog post. “While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling “Machete”.”

The malware at the center of attacks is capable of a number of actions, including logging keystrokes, capturing audio and screenshots, taking photos from the victim’s webcam and capturing geo-location data. The malware can also copy files to a USB device if inserted, and can also copy files to a remote server. In addition, it can hijack the clipboard and capture information from the target machine.

According to Kaspersky Lab, most of the malware victims are located in Ecuador, Colombia, Peru, Venezuela, Cuba, Spain and Russia. In some cases, such as with Russia, the target appears to be an embassy from one of the other countries mentioned. Outside embassies, other targets include intelligence services, military and government institutions.

“The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake blog website,” the researchers noted. “We have found no evidence of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking. During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened.”

The PowerPoint attachments are in reality Nullsoft Installer self-extracting archives with compilation dates going back to 2008.

“A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware,” according to Kaspersky Lab. “This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and UNIX victims as well. In addition to Windows components, we also found a mobile (Android) component.”

Advertisement. Scroll to continue reading.

The following domains have been linked to the campaign:

java.serveblog.net 
agaliarept.com
frejabe.com
grannegral.com
plushbr.com
xmailliwx.com
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)

The malware associated with the attacks is detected by Kaspersky Lab as Trojan-Spy.Python.Ragua. 

“The ‘Machete’ discovery shows there are many regional players in the world of targeted attacks,” according to the researchers. “Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...