Machete
Associated Group Descriptions |
|
Name | Description |
---|---|
APT-C-43 | (Citation: 360 Machete Sep 2020) |
El Machete | (Citation: Cylance Machete Mar 2017) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Machete malware used Python’s urllib library to make HTTP requests to the C2 server.(Citation: Cylance Machete Mar 2017) |
.002 | Application Layer Protocol: File Transfer Protocols |
Machete malware used FTP for C2.(Citation: Cylance Machete Mar 2017) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Machete used the startup folder for persistence.(Citation: Cylance Machete Mar 2017) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Machete has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
Machete has embedded malicious macros within spearphishing attachments to download additional files.(Citation: 360 Machete Sep 2020) |
||
.006 | Command and Scripting Interpreter: Python |
Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Machete created their own directories to drop files into.(Citation: Cylance Machete Mar 2017) |
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
Machete has used free dynamic DNS domains for C2.(Citation: Cylance Machete Mar 2017) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.(Citation: 360 Machete Sep 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Machete has delivered spearphishing emails that contain a zipped file with malicious contents.(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020) |
.002 | Phishing: Spearphishing Link |
Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Machete has created scheduled tasks to maintain Machete's persistence.(Citation: 360 Machete Sep 2020) |
.005 | Scheduled Task/Job: Scheduled Task |
Machete used scheduled tasks for persistence.(Citation: Cylance Machete Mar 2017) |
||
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Machete has used msiexec to install the Machete malware.(Citation: 360 Machete Sep 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019) |
.002 | User Execution: Malicious File |
Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020) |
References
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.