Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[1][2][3][4]
Name | Description |
---|---|
APT-C-43 | |
El Machete |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Machete has used batch files to initiate additional downloads of malicious files.[4] |
.005 | Command and Scripting Interpreter: Visual Basic |
Machete has embedded malicious macros within spearphishing attachments to download additional files.[4] |
||
.006 | Command and Scripting Interpreter: Python |
Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.[1][3][4] |
||
Enterprise | T1189 | Drive-by Compromise |
Machete has distributed Machete through a fake blog website.[2] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[4] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Machete has delivered spearphishing emails that contain a zipped file with malicious contents.[2][3][4] |
.002 | Phishing: Spearphishing Link |
Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[1][3] |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Machete has created scheduled tasks to maintain Machete's persistence.[4] |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec | |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[1][2][3] |
.002 | User Execution: Malicious File |
Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.[1][2][3][4] |