BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
El Machete APT Group

El Machete APT Group

BRANDEFENSE
APT Groups
01/08/2022

Last updated on September 6th, 2022 at 02:52 pm

Table of Contents

  • Threat Actor ID
  • Vision, Mission, and Motivation
  • Targeted Countries
  • Operations
  • TTPs & Attack Lifecycle
    • Indicator of Compromises
      • GoogleUpdate.exe
      • Chrome.exe
      • GoogleCrash.exe
      • RAR/7z SFX: Config + Payload
      • 7z SFX: Decoy C+ Downloader
      • RAR SFX: URL Config + Downloader
      • Downloader
      • _hashlbi.pyw
      • _bsdbd.pyw
      • _clypes.pyw
      • _elementree.pyw
      • _mssi.pyw
      • _multiproccessing.pyw
    • Domains
    • IP Addresses
  • Recommendations & Mitigations
  • Conclusion

Threat Actor ID

Grup Adı El Machete,
Country USA
First Seen 2014
Motivation Information theft and espionage
Methods Malware, Spearphishing
Other Names APT-C-43

Vision, Mission, and Motivation

Machete is a South American-based APT group operating since 2010. They are also known as APT-C-43. Attacks affecting many countries, especially Latin America, are carried out against high-profile organizations such as government agencies, law enforcement, telecommunications, and energy companies. Information theft and espionage are the primary motivations for the attacks. Various activities are carried out, such as capturing screenshots from compromised devices, capturing geolocation data, accessing webcams, copying sensitive data to a remote server, and keylogging.

The group, which frequently uses social engineering techniques such as including malware-laden documents and links in fake e-mails, is known to conduct extensive intelligence work on the target before carrying out the attack. It has been determined that actual military documents were used in phishing attacks by threat actors.

forged documents belong to el-machete
forged documents belong to el-machete

Approximately 75 false documents belonging to the threat actor group were identified. The themes of the forged documents, which were mostly found to have been seized from previous attacks and repurposed for targeted phishing attacks, were related to military information ranging from national-level political issues concerning the victims and personnel assignments. It has also been observed that threat actors exploit the victim’s sense of fear and panic by using themes such as debt collection and subpoenas. As a result of the metadata analysis of these documents, it has been reported that they were created in 2000, 2006, 2011, 2013, 2014, 2015, 2016, and 2017.

The graphic below shows the format information and usage rate of the documents used by the threat actors.

el machete apt group
el machete apt group

Targeted Countries

Upon the analysis of the documents used by the group, it was determined that the papers were primarily prepared in Spanish and Portuguese, and there were Spanish scripts in the malware used. It is possible to deduce that the Machete APT group explicitly targets countries that use these two languages.

spanish code example of el machete apt group
spanish code example of el machete apt group

The countries where the cyber espionage group operates, which generally targets Latin American countries with effective spearphishing techniques, are as follows.

  • Venezuelan
  • Russia
  • Cuba
  • Chinese
  • Belgium
  • Ecuador
  • Brazil
  • Spain
  • France
  • Colombia
  • Peru
  • Sweden
  • United States of America
  • Malaysia
targeted countries machete
targeted countries machete

Operations

  • The group, which carried out a China-focused attack in 2014, forwarded Hermosa XXX.pps.rar, Suntzu.rar, El Arte de la guerra.rar, and Hot Brazilian XXX.rar files to its victims via fake e-mails. It was determined that the files with a total size of 3 MB and loaded with malware were created in 2008. When the attack targeting the Windows operating system was analyzed, clues were obtained that the attackers developed their infrastructure for Mac OS X and Android.
  • By 2018, a concealment layer was included in the malware used in attacks against targets, using Zlib compression and base64 algorithm. In this way, most security products could not detect the updated malware to increase the success rate in targeted attacks.
  • In 2019, threat actors carried out an attack targeting the Venezuelan army. The phishing attack by threat actors has attracted attention due to the use of verified military documents obtained from previous episodes. After the attack, the group obtained sensitive data belonging to the army.
  • By 2022, the group targeted government institutions, energy, and finance sectors in Venezuela, Israel, Saudi Arabia, and Pakistan, using official documents on the ongoing war between Ukraine and Russia. Threat actors continued their espionage campaigns, using phishing techniques, screen capture, keylogging, and transmitting malware-laden documents that allow command execution on compromised systems to targets.

TTPs & Attack Lifecycle

Threat actors follow a series of stages that make up the attack lifecycle when they devise specific strategies to infiltrate an organization’s network and capture data. These stages are called techniques, tactics, and procedures (TTPs). It is essential to understand the techniques, tactics, and procedures to determine the purpose and motivations of threat actors and to ensure data and network security against actual attacks.

This part of the content includes techniques, tactics, and procedures belonging to the APT-C-43 group.

Tactic Tactic ID Technique
Initial Access T1192

T1193

•Spearphishing Link

•Spearphishing Attachment

Execution T1204

T1053

•User Execution

•Scheduled Task

Persistence T1158

T1053

•Hidden Files and Directories

•Scheduled Task

Defense Evasion T1027

T1045

T1036

•Obfuscated Files or Information

•Software Packing

•Masquerading

Credential Access T1145

T1081

•Private Keys

•Credentials in Files

Discovery T1049

T1120

T1083

T1217

T1010

•System Network Connections Discovery

•Peripheral Device Discovery

•File and Directory Discovery
Process Discovery

•Browser Bookmark Discovery

•Application Window Discovery

Collection T1115

T1005

T1025

T1056

T1113

T1074

•Clipboard Data

•Data from Local System

•Data from Removable Media

•Input Capture

•Screen Capture

•Data Staged

Command and Control T1008

T1105

T1071

•Fallback Channels

•Remote File Copy

•Standard Application Layer Protoco

Exfiltration T1020

T1041

T1052

T1029

•Automated Exfiltration

•Exfiltration Over Command and Control Channel

•Exfiltration Over Physical Medium

•Scheduled Transfer

Indicator of Compromises

GoogleUpdate.exe

Hash

(SHA1)

Definition
048C40EB606DA3DEF08C9F6997C1948AFBBC959B Python/Machete.F
2E8D8508096CAA38493414F6BA788D0041EA9E15 Python/Machete.F
85BDD7D871108C737701AC30C14A2D343CBDEF94 Python/Machete.D
8ED8CB784512F7DADD147347FC94E945FAF16338 Python/Machete.F
9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E Python/Machete.A
AB8DD6B0CC950618589603012863B57F7ADB9D9B Python/Machete.A

 

Chrome.exe

Hash

(SHA1)

Definition
318496B58CF5052EFD49A95C721D9165278E9FCE Python/Machete.B
3BB345032B6D0226D6771BA65FE4DA0FAF628631 Python/Machete.B
946A24DFBD0AE94209EF7C284D3F462548566A3C Python/Machete.B
984B9202A6DBD7D3DD696CAE1220338A68092DC9 Python/Machete.B
EABD45D0A86113F5CCFF9FD292C1E482A5727815 Python/Machete.B
F05BC018C90B560DC4932758956ADFFBC10588CE Python/Machete.B

 

GoogleCrash.exe

Hash

(SHA1)

Definition
204A2850548E5994D4696E9002F90DFCCBE2093A Python/Machete.C
3792588EDC809270E6666A4677EC85A3400BA4CF Python/Machete.E
4899A2C2CECEB92D2CC4ED17D092D1D599379284 Python/Machete.A
A42756280AA352F4612BED85AABF7F3267E676C2 Python/Machete.E
A97CF05AD7F3102BDE45E4B4947ED435EFEA1968 Python/Machete.E

RAR/7z SFX: Config + Payload

Hash

(SHA1)

Definition
00397DA69B8E748720AEDFD80D78166573C33EC8 ders.exe
03929A5530639C1D9DBD395A298C59FD7EFF1DEC chrome.sfx.exe
0922DEFB82FF1140BBE3481BAB27564BB966D50B ChrOme_UpdAte.sfx.exe
0AC64E08E63601AD9D6A4EF019E5B374784AF80A chrome.sfx.exe
0BA5BCE133B50EF80FD9241C3EA5CB9135CA4EB1 ders.exe
161629F63422AB34108854662313F87A278DD7F5 chrome.sfx.exe
24752DAB28C3ADD4C31591F2EC480CE3CA83E0AA python27.exe
341F2EFA0FD11B4480D8503BFB81C62AF667D72D chrome_Up.sfx.exe
4C130AA110B290A0CF4FF1C099EA2A705081A9CB Chrome_Update.sfx.exe
50C23690C23EE070AD3A20FCED7311BFDF098833 ders.exe
67ECBC1E9A66719C599E6DDED33A85F70DACA13E chrome.sfx.exe
6A69A2A2D4A2F8690B71386F0F092B04EA5A647D ChrOme_UpdAte.sfx.exe
92C56AF6815597C0135C21EF5A35D41B0E2A460F Python_27.exe
9E52E1C015B97D4FB2CAC888F8FC69D729AF78F5 finaser.aes
A48A71B9D1C00A683397F97C02E0DBB3F4606863 ders.exe
B6E436A0FFF117A1C3D3D70947F62D4CAC66C95E ders.exe
C4ACCF6071F51ADE102190C6FA350435FC202654 Python.27.exe
D5238CDE036EEFCC6D8D686B3A00247F27DA894C Python.27.exe
DDA105D8D894F73B16518D546270E4F783CB5178 python27.exe
E85C1EF38C39B6087EA9AC8171DDD1416B9A5306 python27.exe
FD52B10E9D4E5D343E589627444A6766357D5E47 Security.exe

7z SFX: Decoy C+ Downloader

Hash

(SHA1)

Definition
52B680F472AE463436979DA325DB7AD64D5AF1EF Mapa_monitoreo_WRF_ind02052018.scr
69109287D41C002FA70BB3D6238C4056B2B24B2F Mapa_monitoreo_WRF_ind02052018.scr
89C0FDEED36A69099E935A590A103339B0CBE525 Mapa_monitoreo_WRF_ind02052018.scr
9EA7832D83C74C839A49580B4211E627A24571BE Programa Formacion en Contratacion Publica.scr
BFD0CBEF5B9C329792B38274474F04BD8109DF66 RGMA0_1_629.scr
FB871AACA0DDCF2F009A2D11ECF672CFB61B7357 CALENDARIO_ACTIVIDADES_COLCO_EC.scr
FDE89FCEC30FCAABB3D42ED87180843F3E760CD8 Mapa_monitoreo_WRF_ind02052018.scr

 

RAR SFX: URL Config + Downloader

Hash

(SHA1)

Definition
9912BDBE08179122DC3797A2585D463573D1B5A5 04Down.exe
AB16808B5B4706B6265C5FF5FEF8B8460C8A51F8 4Down.sfx.exe
BDAAB0B356EC9FE61FEE1723E1DD52E39DDC6699 04Down.exe
DED6509458DF62D3CE60C68F3A2A87E59F1F96BE Down.sfx.exe

 

Downloader

Hash

(SHA1)

Definition
2B7404F6B0075BC1192D61D4AF135D521D5F08A3 RdrCEF.exe
53102E57B40FEACB64566C26D101D9242DECE77C Down.exe
56E8743E0773286A4B9E055147D96D53A43BECA1 Down.exe
71F69F04307C8F5675DCADEAA80B8C2B95691B01 Down.exe
904137B61F1DED66C8CA76EBF198DEC1B638B5D4 Down.exe
FBB485B40477F5A014E7096747B1B4A494CE50EF Down.exe

_hashlbi.pyw

Hash

(SHA1)

Definition
1B3723651E1D321D4F34F2A243D7751D17288257 Python/Machete.G
7FFB9C7DA20C536B694E78538B65726EACB1B055 Python/Machete.G
B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5 Python/Machete.G

 

_bsdbd.pyw

Hash

(SHA1)

Definition
0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3 Python/Machete.G
314D9B4C25DD69453D86E4C7062DCE6DEDDA0533 Python/Machete.G
D4CF22F3DB78BDC1CEB55431857D88166CE677D4 Python/Machete.G

 

_clypes.pyw

Hash

(SHA1)

Definition
26FB301AF7393B5E564B8C802F5795EDEBD7CECF Python/Machete.G
979859B5A177650EF0549C81FD66D36E9DEA8078 Python/Machete.G
A07E38DF9887EA7811369CD72C57FD6D44523CD6 Python/Machete.G

 

_elementree.pyw

Hash

(SHA1)

Definition
07E383E9FF04F587769845306DC4BFE75630BAAA Python/Machete.G
3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3 Python/Machete.G
56765B7511372A8E9BE017F48A764D141F485474 Python/Machete.G
CF2DC40926D8747AEC572DFD711BBFD766AADB10 Python/Machete.G

 

_mssi.pyw

Hash

(SHA1)

Definition
6B42091CA2F89A59F4E27E30ACDACF32EB83F824 Python/Machete.G
708F159F2CFE22FF0C4464F2FEDAA0501868BDD8 Python/Machete.G
DE639618B550DBE9071E999AAA5B4FC81F63A5A6 Python/Machete.G

_multiproccessing.pyw

Hash

(SHA1)

Definition
0B6F61AF3E2C6551F15E0F888177EEC91F20BA99 Python/Machete.G
76AABC0AF5D487A80BCBA19555191B46766139FA Python/Machete.G
7FF87649CA1D9178A02CD9942856D1B590652C6E Python/Machete.G
8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D Python/Machete.G
8AF19AA3F18CB35F12EE3966931E11799C3AC5A4 Python/Machete.G
E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD Python/Machete.G

Domains

  • koliast[.]com
  • tobabean[.]expert
  • u929489355.hostingerapp[.]com
  • u154611594.hostingerapp[.]com
  • 6e24a5fb.ngrok[.]io
  • f9527d03.ngrok[.]io
  • adtiomtardecessd.zapto[.]org
  • mcsi.gotdns[.]ch
  • djcaps.gotdns[.]ch
  • tokeiss.ddns[.]net
  • artyomt[.]com
  • lawyersofficial.mipropia[.]com
  • ceofanb18.mipropia[.]com

IP Addresses

  • 185[.]224[.]137[.]63
  • 156[.]67[.]222[.]88
  • 158[.]69[.]9[.]209
  • 142[.]44[.]236[.]215
  • 199[.]79[.]63[.]188
  • 109[.]61[.]164[.]33
Download IoC

Recommendations & Mitigations

Attacks by threat actors negatively affect the brand integrity of institutions/organizations by violating the security of systems. The measures that can be taken for an institution to ensure the security of critical data and minimize all risks are as follows:

  • To ensure the security of the accounts used against brute force attacks, strong passwords should be created, and each password created should be platform-specific. In addition, it is recommended to enable multi-factor protection on accounts used whenever possible. This will provide an extra layer of security.
  • E-mails and links that are considered suspicious should not be trusted. As seen in the Machete APT group we covered in the blog post, forwarding malware-laden documents to victims via fake emails is a social engineering technique frequently used by threat actors. In addition, to be protected from possible social engineering attacks, it is important to raise awareness and train the personnel of the institution/organization on this issue.
  • Make sure that the software used is up-to-date. Threat actors can compromise systems by using out-of-date vulnerable applications and software.
  • Provided software and applications from reliable sources, unknown websites should be avoided.
  • Comprehensive security products such as firewalls and antivirus programs should be used in order to be protected from possible attacks and to ensure the security of sensitive data. These products will protect individuals and institutions from various risks, such as malware and phishing attacks, or reduce the effects of attacks.

Conclusion

The Machete APT group carries out carefully prepared attacks on targets that can be considered very important, although many threat actors are less known than the group. Although it has not been found to exploit any zero-day vulnerabilities, the group carries out cyber-attacks with advanced phishing techniques and malware after performing extensive intelligence work on the target and gathering information.

The Brandefense Threat Intelligence Team prepared this post, and it is aimed to raise awareness against cyber attacks carried out by Machete and similar threat actors. It is thought that it will be effective and useful to benefit from this post, which has been prepared so that potential targets can correctly determine the necessary precautions and priorities.

APT APT-C-43 El Machete Malware Spearphishing
Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • Perspective of the Month | APT Groups
    Perspective of the Month | APT Groups
  • BellaCiao: The New Malware From Iran’s Charming Kitten
    BellaCiao: The New Malware From Iran’s Charming Kitten
  • Security News Digest | Security Newsletter | April 27, 2023
    Security News Digest | Security Newsletter | April 27, 2023
  • Cyber Security Trends in 2023: What You Need to Know
    Cyber Security Trends in 2023: What You Need to Know
2023 Ransomware Trends Report
Let’s Dive in Ransomware Attack Trends
Report

Let’s Dive in Ransomware Attack Trends

Download Report
Follow us!

Continue Reading

Previous post

Critical Vulnerabilities Detected in Moxa NPort Series Devices

critical vulnerabilities detected in moxa nport series devices
cyber security weekly newsletter 31
Next post

Security News – Week 31

particle element
We know what hackers know about you
Our cyber threat intelligence and security research team is ready to help you.
Request a demo
Free Trial
Contact
Login

Follow us on

brandefense logo brandefense

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Turkey:

Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
Channel PartnersDeal Registration
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Close
Search

Hit enter to search or ESC to close