Cyber spies whip out 'Machete', stride towards Latin America

¡Ay, caramba! Don't open hot Brazilian XXX.rar

Beginner's guide to SSL certificates

Security watchers are tracking a new cyber-espionage campaign that appears to be targetting Latin American countries including Venezuela, Colombia and Ecuador.

The so-called "Machete" campaign has been zoning in on governments, military and law enforcement agencies and embassies in South America for the last four years, stealing gigabytes of confidential data in the process, according to security researchers at Kaspersky Lab.

Tricks in the toolbox of malware associated with Machete include copying files to a remote server or a special USB device if inserted, hijacking clipboard content, key logging, computer microphone audio capturing, taking screenshots, getting geo-location data, and taking photos using the web camera of infected computers. The attackers are using social engineering techniques – such as spear-phishing and booby-trapping fake blogs with malicious code – to distribute their wares.

One unusual technical feature of the campaign is the use of Python compiled into Windows executable files, but this does not have any advantage for the attackers except ease of coding, according to Kaspersky Lab. Machete was updated with renewed infrastructure in 2012.

The lure files include El arte de la guerra.rar (a reference to Sun Tzu's Art of War and the self-explanatory Hot brazilian XXX.rar, both actually self-extracting archives. The consequence of embedding Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim, resulting extremely large files of more than 3MB.

There are no indications of exploits using zero-day vulnerabilities and both the coding and tactics in play are fairly standard. Despite this relative simplicity, Kaspersky Lab experts identified 778 victims around the globe.

“Despite the simplicity of the tools used in this campaign, the results show it was very effective," said Dmitry Bestuzhev, head of Kaspersky Lab’s Latin American research team. "It looks like threat actors in Latin America are adopting techniques of APT campaigns seen around the world."

Attackers behind the campaign appear to be Spanish speaking, with roots somewhere in Latin America. Victims outside Latin America were recorded but they all appeared to have ties back to the continent. For example, a Latin American embassy in Russia was among the victims of the campaign.

More details on Machete can be found in a blog post by Kaspersky Lab here. ®

Remote control for virtualized desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Hikvision devices wide open to hacking, claim securobods
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.