S0409 Machete
Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.123
| Item | Value |
|---|---|
| ID | S0409 |
| Associated Names | Pyark |
| Type | MALWARE |
| Version | 2.1 |
| Created | 13 September 2019 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Pyark | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Machete uses HTTP for Command & Control.143 |
| enterprise | T1071.002 | File Transfer Protocols | Machete uses FTP for Command & Control.143 |
| enterprise | T1010 | Application Window Discovery | Machete saves the window names.1 |
| enterprise | T1560 | Archive Collected Data | Machete stores zipped files with profile data from installed web browsers.1 |
| enterprise | T1560.003 | Archive via Custom Method | Machete‘s collected data is encrypted with AES before exfiltration.1 |
| enterprise | T1123 | Audio Capture | Machete captures audio from the computer’s microphone.243 |
| enterprise | T1020 | Automated Exfiltration | Machete’s collected files are exfiltrated automatically to remote servers.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Machete used the startup folder for persistence.24 |
| enterprise | T1217 | Browser Information Discovery | Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.1 |
| enterprise | T1115 | Clipboard Data | Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.006 | Python | Machete is written in Python and is used in conjunction with additional Python scripts.123 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Machete collects stored credentials from several web browsers.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Machete has used base64 encoding.2 |
| enterprise | T1005 | Data from Local System | Machete searches the File system for files of interest.1 |
| enterprise | T1025 | Data from Removable Media | Machete can find, encrypt, and upload files from fixed and removable drives.41 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Machete stores files and logs in a folder on the local drive.14 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Machete’s downloaded data is decrypted using AES.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Machete has used AES to exfiltrate documents.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | Machete has used TLS-encrypted FTP to exfiltrate data.4 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Machete‘s collected data is exfiltrated over the same channel used for C2.1 |
| enterprise | T1052 | Exfiltration Over Physical Medium | - |
| enterprise | T1052.001 | Exfiltration over USB | Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.12 |
| enterprise | T1008 | Fallback Channels | Machete has sent data over HTTP if FTP failed, and has also used a fallback server.1 |
| enterprise | T1083 | File and Directory Discovery | Machete produces file listings in order to search for files to be exfiltrated.143 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Once a file is uploaded, Machete will delete it from the machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | Machete can download additional files for execution on the victim’s machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Machete logs keystrokes from the victim’s machine.1243 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.12 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Machete has been packed with NSIS.1 |
| enterprise | T1027.010 | Command Obfuscation | Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.41 |
| enterprise | T1120 | Peripheral Device Discovery | Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.1 |
| enterprise | T1057 | Process Discovery | Machete has a component to check for running processes to look for web browsers.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | The different components of Machete are executed by Windows Task Scheduler.12 |
| enterprise | T1029 | Scheduled Transfer | Machete sends stolen data to the C2 server every 10 minutes.1 |
| enterprise | T1113 | Screen Capture | Machete captures screenshots.1243 |
| enterprise | T1082 | System Information Discovery | Machete collects the hostname of the target computer.1 |
| enterprise | T1016 | System Network Configuration Discovery | Machete collects the MAC address of the target computer and other network configuration information.13 |
| enterprise | T1049 | System Network Connections Discovery | Machete uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.004 | Private Keys | Machete has scanned and looked for cryptographic keys and certificate file extensions.1 |
| enterprise | T1125 | Video Capture | Machete takes photos from the computer’s web camera.243 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0095 | Machete | 21 |
References
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩