Machete
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Pyark | (Citation: 360 Machete Sep 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Machete uses HTTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020) |
| .002 | Application Layer Protocol: File Transfer Protocols |
Machete uses FTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020) |
||
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Machete's collected data is encrypted with AES before exfiltration.(Citation: ESET Machete July 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Machete used the startup folder for persistence.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017) |
| Enterprise | T1059 | .006 | Command and Scripting Interpreter: Python |
Machete is written in Python and is used in conjunction with additional Python scripts.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Machete collects stored credentials from several web browsers.(Citation: ESET Machete July 2019) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Machete has used base64 encoding.(Citation: Securelist Machete Aug 2014) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Machete stores files and logs in a folder on the local drive.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Machete has used AES to exfiltrate documents.(Citation: ESET Machete July 2019) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Machete has used TLS-encrypted FTP to exfiltrate data.(Citation: Cylance Machete Mar 2017) |
||
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.(Citation: ESET Machete July 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Once a file is uploaded, Machete will delete it from the machine.(Citation: ESET Machete July 2019) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Machete logs keystrokes from the victim’s machine.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.(Citation: ESET Machete July 2019) |
| .005 | Masquerading: Match Legitimate Name or Location |
Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Machete has been packed with NSIS.(Citation: ESET Machete July 2019) |
| .010 | Obfuscated Files or Information: Command Obfuscation |
Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
The different components of Machete are executed by Windows Task Scheduler.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Machete has scanned and looked for cryptographic keys and certificate file extensions.(Citation: ESET Machete July 2019) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0095 | Machete |
(Citation: Securelist Machete Aug 2014) (Citation: ESET Machete July 2019) |
References
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.