Skip to content

G0095 Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.1234

Item Value
ID G0095
Associated Names APT-C-43, El Machete
Version 2.0
Created 13 September 2019
Last Modified 06 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
APT-C-43 4
El Machete 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Machete has used batch files to initiate additional downloads of malicious files.4
enterprise T1059.005 Visual Basic Machete has embedded malicious macros within spearphishing attachments to download additional files.4
enterprise T1059.006 Python Machete used multiple compiled Python scripts on the victim’s system. Machete‘s main backdoor Machete is also written in Python.134
enterprise T1189 Drive-by Compromise Machete has distributed Machete through a fake blog website.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Machete‘s Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Machete has delivered spearphishing emails that contain a zipped file with malicious contents.234
enterprise T1566.002 Spearphishing Link Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.13
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Machete has created scheduled tasks to maintain Machete‘s persistence.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Machete has used msiexec to install the Machete malware.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.123
enterprise T1204.002 Malicious File Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.1234

Software

ID Name References Techniques
S0409 Machete 23 Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Application Window Discovery Archive via Custom Method:Archive Collected Data Archive Collected Data Audio Capture Automated Exfiltration Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data Python:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Data from Removable Media Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exfiltration over USB:Exfiltration Over Physical Medium Fallback Channels File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Command Obfuscation:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Scheduled Task:Scheduled Task/Job Scheduled Transfer Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Private Keys:Unsecured Credentials Video Capture

References

  1. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  2. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  3. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  4. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.