At the 29th Virus Bulletin International Conference (VB2019) in London, our researchers Veronica Valeros, Maria Rigaki, Kamila Babayeva and Sebastian Garcia presented their results on the study of Machete APT in their talk “A Study of Machete Cyber Espionage Operations in Latin America”.
Active since late 2010, Machete has become one of the largest cyber espionage operations in Latin America. The lack of sophistication has not stopped the threat actors to continuously deploy new campaigns, and keep operating almost unstopped.
Their research focused on answering some key questions on this threat and its operations:
Is this actor active?
Is this a group or an individual operating the malware?
Is Machete under continuous development?
Who are the targets?
An Active Threat for All Latin America
For 3 years, they tracked down 176 campaigns and identified more than 300 unique malware modules, assembling what has become the largest corpus of Machete samples to date. The analysis of the corpus of malware led to identify that the earliest sample was first seen in December 2010. Since then, the malware operators kept improving Machete until this day. Through the careful analysis of almost 100 decoy documents used in their campaign, researchers get behind the mind of the attackers mapping the interest of the threat actors along the years.
Machete Development Has Not Stopped
In their presentation, our researchers showed a well summarized timeline of Machete evolution which shows how the operators never ceased improving Machete:
Dec 22, 2010: first Machete sample, 1 module, no decoy document.
Feb 28, 2011: first Machete with a decoy document.
Mar 10, 2011: Machete incorporates first module.
May 17, 2011: first fully modular Machete (5 modules).
Sep 14, 2011: Machete implements encryption using AES to encrypt user data.
May 6, 2015: Machete starts obfuscating the python source code.
Jan 24, 2017: samples with Dropbox used for exfiltration appeared.
Apr 30, 2018: number of modules reduced to 3, added a compression step, and credentials are stored encrypted.