El Machete APT Group

Threat Actor ID

Vision, Mission, and Motivation

Machete is a South American-based APT group operating since 2010. They are also known as APT-C-43. Attacks affecting many countries, especially Latin America, are carried out against high-profile organizations such as government agencies, law enforcement, telecommunications, and energy companies. Information theft and espionage are the primary motivations for the attacks. Various activities are carried out, such as capturing screenshots from compromised devices, capturing geolocation data, accessing webcams, copying sensitive data to a remote server, and keylogging.

The group, which frequently uses social engineering techniques such as including malware-laden documents and links in fake e-mails, is known to conduct extensive intelligence work on the target before carrying out the attack. It has been determined that actual military documents were used in phishing attacks by threat actors.

Approximately 75 false documents belonging to the threat actor group were identified. The themes of the forged documents, which were mostly found to have been seized from previous attacks and repurposed for targeted phishing attacks, were related to military information ranging from national-level political issues concerning the victims and personnel assignments. It has also been observed that threat actors exploit the victim’s sense of fear and panic by using themes such as debt collection and subpoenas. As a result of the metadata analysis of these documents, it has been reported that they were created in 2000, 2006, 2011, 2013, 2014, 2015, 2016, and 2017.

The graphic below shows the format information and usage rate of the documents used by the threat actors.

Targeted Countries

Upon the analysis of the documents used by the group, it was determined that the papers were primarily prepared in Spanish and Portuguese, and there were Spanish scripts in the malware used. It is possible to deduce that the Machete APT group explicitly targets countries that use these two languages.

The countries where the cyber espionage group operates, which generally targets Latin American countries with effective spearphishing techniques, are as follows.

• Venezuelan
• Russia
• Cuba
• Chinese
• Belgium
• Ecuador
• Brazil
• Spain
• France
• Colombia
• Peru
• Sweden
• United States of America
• Malaysia

Operations

• The group, which carried out a China-focused attack in 2014, forwarded Hermosa XXX.pps.rar, Suntzu.rar, El Arte de la guerra.rar, and Hot Brazilian XXX.rar files to its victims via fake e-mails. It was determined that the files with a total size of 3 MB and loaded with malware were created in 2008. When the attack targeting the Windows operating system was analyzed, clues were obtained that the attackers developed their infrastructure for Mac OS X and Android.
• By 2018, a concealment layer was included in the malware used in attacks against targets, using Zlib compression and base64 algorithm. In this way, most security products could not detect the updated malware to increase the success rate in targeted attacks.
• In 2019, threat actors carried out an attack targeting the Venezuelan army. The phishing attack by threat actors has attracted attention due to the use of verified military documents obtained from previous episodes. After the attack, the group obtained sensitive data belonging to the army.
• By 2022, the group targeted government institutions, energy, and finance sectors in Venezuela, Israel, Saudi Arabia, and Pakistan, using official documents on the ongoing war between Ukraine and Russia. Threat actors continued their espionage campaigns, using phishing techniques, screen capture, keylogging, and transmitting malware-laden documents that allow command execution on compromised systems to targets.

TTPs & Attack Lifecycle

Threat actors follow a series of stages that make up the attack lifecycle when they devise specific strategies to infiltrate an organization’s network and capture data. These stages are called techniques, tactics, and procedures (TTPs). It is essential to understand the techniques, tactics, and procedures to determine the purpose and motivations of threat actors and to ensure data and network security against actual attacks.

This part of the content includes techniques, tactics, and procedures belonging to the APT-C-43 group.

Indicator of Compromises

GoogleUpdate.exe

Chrome.exe

GoogleCrash.exe

RAR/7z SFX: Config + Payload

7z SFX: Decoy C+ Downloader

RAR SFX: URL Config + Downloader

Downloader

_hashlbi.pyw

_bsdbd.pyw

_clypes.pyw

_elementree.pyw

_mssi.pyw

_multiproccessing.pyw

Domains

• koliast[.]com
• tobabean[.]expert
• u929489355.hostingerapp[.]com
• u154611594.hostingerapp[.]com
• 6e24a5fb.ngrok[.]io
• f9527d03.ngrok[.]io
• adtiomtardecessd.zapto[.]org
• mcsi.gotdns[.]ch
• djcaps.gotdns[.]ch
• tokeiss.ddns[.]net
• artyomt[.]com
• lawyersofficial.mipropia[.]com
• ceofanb18.mipropia[.]com

IP Addresses

• 185[.]224[.]137[.]63
• 156[.]67[.]222[.]88
• 158[.]69[.]9[.]209
• 142[.]44[.]236[.]215
• 199[.]79[.]63[.]188
• 109[.]61[.]164[.]33

Recommendations & Mitigations

Attacks by threat actors negatively affect the brand integrity of institutions/organizations by violating the security of systems. The measures that can be taken for an institution to ensure the security of critical data and minimize all risks are as follows:

• To ensure the security of the accounts used against brute force attacks, strong passwords should be created, and each password created should be platform-specific. In addition, it is recommended to enable multi-factor protection on accounts used whenever possible. This will provide an extra layer of security.
• E-mails and links that are considered suspicious should not be trusted. As seen in the Machete APT group we covered in the blog post, forwarding malware-laden documents to victims via fake emails is a social engineering technique frequently used by threat actors. In addition, to be protected from possible social engineering attacks, it is important to raise awareness and train the personnel of the institution/organization on this issue.
• Make sure that the software used is up-to-date. Threat actors can compromise systems by using out-of-date vulnerable applications and software.
• Provided software and applications from reliable sources, unknown websites should be avoided.
• Comprehensive security products such as firewalls and antivirus programs should be used in order to be protected from possible attacks and to ensure the security of sensitive data. These products will protect individuals and institutions from various risks, such as malware and phishing attacks, or reduce the effects of attacks.

Conclusion

The Machete APT group carries out carefully prepared attacks on targets that can be considered very important, although many threat actors are less known than the group. Although it has not been found to exploit any zero-day vulnerabilities, the group carries out cyber-attacks with advanced phishing techniques and malware after performing extensive intelligence work on the target and gathering information.

The Brandefense Threat Intelligence Team prepared this post, and it is aimed to raise awareness against cyber attacks carried out by Machete and similar threat actors. It is thought that it will be effective and useful to benefit from this post, which has been prepared so that potential targets can correctly determine the necessary precautions and priorities.