MITRE ATT&CK - Преступная группа Machete

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)

ID: G0095

Associated Groups: APT-C-43, El Machete

Version: 2.0

Created: 13 Sep 2019

Last Modified: 06 Oct 2021

Name	Description
Associated Group Descriptions
APT-C-43	(Citation: 360 Machete Sep 2020)
El Machete	(Citation: Cylance Machete Mar 2017)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Machete malware used Python’s urllib library to make HTTP requests to the C2 server.(Citation: Cylance Machete Mar 2017)
		.002	Application Layer Protocol: File Transfer Protocols	Machete malware used FTP for C2.(Citation: Cylance Machete Mar 2017)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Machete used the startup folder for persistence.(Citation: Cylance Machete Mar 2017)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Machete has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2020)
		.005	Command and Scripting Interpreter: Visual Basic	Machete has embedded malicious macros within spearphishing attachments to download additional files.(Citation: 360 Machete Sep 2020)
		.006	Command and Scripting Interpreter: Python	Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Machete created their own directories to drop files into.(Citation: Cylance Machete Mar 2017)
Enterprise	T1568	.001	Dynamic Resolution: Fast Flux DNS	Machete has used free dynamic DNS domains for C2.(Citation: Cylance Machete Mar 2017)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.(Citation: 360 Machete Sep 2020)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Machete has delivered spearphishing emails that contain a zipped file with malicious contents.(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)
		.002	Phishing: Spearphishing Link	Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Machete has created scheduled tasks to maintain Machete's persistence.(Citation: 360 Machete Sep 2020)
		.005	Scheduled Task/Job: Scheduled Task	Machete used scheduled tasks for persistence.(Citation: Cylance Machete Mar 2017)
Enterprise	T1218	.007	System Binary Proxy Execution: Msiexec	Machete has used msiexec to install the Machete malware.(Citation: 360 Machete Sep 2020)
Enterprise	T1204	.001	User Execution: Malicious Link	Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)
		.002	User Execution: Malicious File	Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)

ID	Name	References	Techniques
Software
S0409	Machete	(Citation: 360 Machete Sep 2020) (Citation: ESET Machete July 2019) (Citation: Pyark) (Citation: Securelist Machete Aug 2014)	Deobfuscate/Decode Files or Information, Symmetric Cryptography, Private Keys, Exfiltration Over C2 Channel, File Deletion, Process Discovery, Video Capture, Software Packing, Scheduled Task, Browser Bookmark Discovery, System Network Connections Discovery, Credentials from Web Browsers, Standard Encoding, File Transfer Protocols, System Network Configuration Discovery, Masquerade Task or Service, Automated Exfiltration, Match Legitimate Name or Location, Scheduled Transfer, Local Data Staging, Clipboard Data, Registry Run Keys / Startup Folder, Audio Capture, Web Protocols, Application Window Discovery, Archive via Custom Method, Ingress Tool Transfer, Data from Removable Media, Exfiltration over USB, Asymmetric Cryptography, Keylogging, Peripheral Device Discovery, Data from Local System, Fallback Channels, Archive Collected Data, Python, File and Directory Discovery, System Information Discovery, Hidden Files and Directories, Screen Capture, Obfuscated Files or Information

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Machete

Associated Group Descriptions

Techniques Used

Software

References