Authors
Introduction
Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware. While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling “Machete”.
What is “Machete”?
“Machete” is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still “active”.
The malware is capable of the following cyber-espionage operations:
- Logging keystrokes
- Capturing audio from the computer’s microphone
- Capturing screenshots
- Capturing geolocation data
- Taking photos from the computer’s web camera
- Copying files to a remote server
- Copying files to a special USB device if inserted
- Hijjacking the clipboard and capturing information from the target machine
Targets of “Machete”
Most of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others. In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.
Targets include high-level profiles, including intelligence services, military, embassies and government institutions.
How does “Machete” operate?
The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.
During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened. These are the names of the PowerPoint attachments:
- Hermosa XXX.pps.rar
- Suntzu.rar
- El arte de la guerra.rar
- Hot brazilian XXX.rar
These files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.
A consequence of the embedded Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is extremely large files, over 3MB.
Here are some screnshots of the mentioned files:
A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.
Both attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side and in the Python code.
Indicators of Compromise
Web infections
The following code snippets were found into the HTML of websites used to infect victims:
Note: Thanks to Tyler Hudak from Korelogic who noticed that the above HTML is copy pasted from SET, The Social Engineering Toolkit (https://www.trustedsec.com/downloads/social-engineer-toolkit/).
Also the following link to one known infection artifact:
hxxp://name.domain.org/nickname/set/Signed_Update.jar
Domains
The following are domains found during the infection campaign. Any communication with them must be considered extremely suspicious
java.serveblog.net
agaliarept.com
frejabe.com
grannegral.com
plushbr.com
xmailliwx.com
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)
Infection artifacts
| MD5 | Filename |
| 61d33dc5b257a18eb6514e473c1495fe | AwgXuBV31pGV.eXe |
| b5ada760476ba9a815ca56f12a11d557 | EL ARTE DE LA GUERRA.exe |
| d6c112d951cb48cab37e5d7ebed2420b | Hermosa XXX.rar |
| df2889df7ac209e7b696733aa6b52af5 | Hermosa XXX.pps.rar |
| e486eddffd13bed33e68d6d8d4052270 | Hermosa XXX.pps.rar |
| e9b2499b92279669a09fef798af7f45b | Suntzu.rar |
| f7e23b876fc887052ac8e2558f0d6c38 | Hot Brazilian XXX.rar |
| b26d1aec219ce45b2e80769368310471 | Signed_Update.jar |
Traces on infected machines
Creates the file Java Update.lnk pointing to appdata/Jre6/java.exe
Malware is installed in appdata/ MicroDes/
Running processes Creates Task Microsoft_up
Human part of “Machete”
Language
The first evidence is the language used, both for the victims and attackers, is Spanish.
The victims are all Spanish speaking according to the filenames of the stolen documents.
The language is also Spanish for the operators of the campaign, we can find all the server side code written in this language: reportes, ingresar, peso, etc.
Conclusion
The “Machete” discovery shows there are many regional players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.
Kaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.
Note: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com
Authors
From the same authors
In the same category
“El Machete”