Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. Machete

Machete

Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.[1][2][3]

ID: G0095
Associated Groups: El Machete
Contributors: Matias Nicolas Porolli, ESET
Version: 1.2
Created: 13 September 2019
Last Modified: 22 September 2020

Associated Group Descriptions

Name Description
El Machete

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Machete malware used FTP for C2.[1]
.001 Application Layer Protocol: Web Protocols

Machete malware used Python’s urllib library to make HTTP requests to the C2 server.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Machete used the startup folder for persistence.[1]
Enterprise T1059 .006 Command and Scripting Interpreter: Python

Machete used multiple compiled Python scripts on the victim’s system.[1]
Enterprise T1025 Data from Removable Media

Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Machete created their own directories to drop files into.[1]
Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

Machete has used free dynamic DNS domains for C2.[1]
Enterprise T1027 Obfuscated Files or Information

Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Machete has delivered spearphishing emails that contain a zipped file with malicious contents.[2][3]
.002 Phishing: Spearphishing Link

Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[1][3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Machete used scheduled tasks for persistence.[1]
Enterprise T1204 .002 User Execution: Malicious File

Machete has has relied on users opening malicious attachments delivered through spearphishing to execute malware.[1][2][3]
.001 User Execution: Malicious Link

Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[1][2][3]

Software

ID Name References Techniques
S0409 Machete [2][3] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Audio Capture, Automated Exfiltration, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Python, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exfiltration Over Physical Medium: Exfiltration over USB, Fallback Channels, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Process Discovery, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Private Keys, Video Capture

References

  1. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  2. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  1. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.