A group of cybercriminals have been targeting the Venezuelan military in a cyberespionage campaign, using documents stolen in previous breaches to launch convincing spear-phishing campaigns, according to cybersecurity company ESET.
The Machete group – first analysed by Kaspersky in 2014 – is believed to be behind more than 50 attacks on targets across Latin America, including policing, education and foreign affairs institutions.
Some 75% of these attacks were carried out against institutions in Venezuela, with a further 16% occurring in Ecuador. A small number of attacks were also carried out in Colombia and Nicaragua.
According to ESET, the group has been stealing gigabytes of confidential documents each week since April 2018.
The group appears to know what it is looking for, and is particularly interested in documents describing navigation routes and positioning using military grids.
How the Machete group infiltrate their victims
According to ESET, the Machete group uses highly-targeted spear-phishing emails in order to trick its victim into downloading a malicious file.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
These emails, which are tailored to each specific target, make use of real documents taken in previous breaches, such as classified documents and radiographs (used for military communication), to fake legitimacy. Likewise, the group is also known to use military jargon and etiquette within their communications.
The document attached is self-extracting, meaning it can begin to download and install other malicious files without alerting the victim. This is used to install backdoor components that allow the group to steal and encrypt documents, take screenshots of the victim’s system, and record keystrokes.
These components include the word “Google” in their file name, seemingly in an attempt to mask their malicious intent.
Approximately every 10 minutes, the system communicates with a command and control (C&C) server to send stolen data back to the attackers.
“Machete’s operators use effective spear phishing techniques. Their long run of attacks, focused on Latin American countries, has allowed them to collect intelligence and refine their tactics over the years. They know their targets, how to blend into regular communications, and which documents are of the most value to steal,” Matias Porolli, a researcher for ESET, said.
The attacker has previously been found to change its C&C server and make small changes to its malware in order to evade security tools.
Who is behind the Machete attacks?
It is unclear who is behind the group or where it operates from. Kaspersky previously noted that the group appears to be from a Spanish-speaking country, given the attackers are fluent in Spanish and target Spanish-speaking organisations.
Cylance has suggested that attackers may be based in Brazil, given that no attacks had been carried out there despite it sharing a border with the targeted countries. However, less than 1% of the Brazilian population is known to speak Spanish fluently.
What’s unusual about these attacks is that the documents stolen suggest that this is a cyberespionage campaign. However, the researchers told ZDNet that it had not observed Spanish-speaking nation-state cybercrime groups previously.
Typically non-state-sponsored cybercriminal groups will carry out attacks with financial motive. However, the attackers aren’t believed to be demanding ransom or accessing financial systems belonging to the organisations they target.
Rather, the group could be stealing this information to sell on to the highest bidder, or may have been hired to launch attacks on behalf of a third-party. This would make sense, given the group has previously been linked with attacks on targets in Russia, the United States, Spain, Sweden and China between 2014 and 2017, before turning its attention to Latin American military-connected institutions.