1. Home
  2. Software
  3. Machete

Machete

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[1][2][3]

ID: S0409
Associated Software: Pyark
Type: MALWARE
Platforms: Windows
Contributors: Matias Nicolas Porolli, ESET
Version: 2.1
Created: 13 September 2019
Last Modified: 22 March 2023

Associated Software Descriptions

Name Description
Pyark

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1025 从可移动介质获取数据

Machete can find, encrypt, and upload files from fixed and removable drives.[4][1]

Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Machete collects stored credentials from several web browsers.[1]

Enterprise T1005 从本地系统获取数据

Machete searches the File system for files of interest.[1]

Enterprise T1036 .004 伪装: Masquerade Task or Service

Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[1]

.005 伪装: Match Legitimate Name or Location

Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[1][2]
Enterprise T1115 剪贴板数据

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.[1][2]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

Machete has used AES to exfiltrate documents.[1]
.002 加密通道: Asymmetric Cryptography

Machete has used TLS-encrypted FTP to exfiltrate data.[4]
Enterprise T1140 反混淆/解码文件或信息

Machete’s downloaded data is decrypted using AES.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Machete used the startup folder for persistence.[2][4]
Enterprise T1059 .006 命令与脚本解释器: Python

Machete is written in Python and is used in conjunction with additional Python scripts.[1][2][3]
Enterprise T1008 回退信道

Machete has sent data over HTTP if FTP failed, and has also used a fallback server.[1]

Enterprise T1120 外围设备发现

Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.[1]

Enterprise T1113 屏幕捕获

Machete captures screenshots.[1][2][4][3]
Enterprise T1071 .001 应用层协议: Web Protocols

Machete uses HTTP for Command & Control.[1][4][3]
.002 应用层协议: File Transfer Protocols

Machete uses FTP for Command & Control.[1][4][3]
Enterprise T1010 应用窗口发现

Machete saves the window names.[1]

Enterprise T1560 归档收集数据

Machete stores zipped files with profile data from installed web browsers.[1]

.003 Archive via Custom Method

Machete's collected data is encrypted with AES before exfiltration.[1]

Enterprise T1074 .001 数据分段: Local Data Staging

Machete stores files and logs in a folder on the local drive.[1][4]
Enterprise T1132 .001 数据编码: Standard Encoding

Machete has used base64 encoding.[2]
Enterprise T1083 文件和目录发现

Machete produces file listings in order to search for files to be exfiltrated.[1][4][3]
Enterprise T1552 .004 未加密凭证: Private Keys

Machete has scanned and looked for cryptographic keys and certificate file extensions.[1]

Enterprise T1217 浏览器信息发现

Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.[1]

Enterprise T1027 .002 混淆文件或信息: Software Packing

Machete has been packed with NSIS.[1]

.010 混淆文件或信息: Command Obfuscation

Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[4][1]
Enterprise T1070 .004 移除指标: File Deletion

Once a file is uploaded, Machete will delete it from the machine.[1]

Enterprise T1082 系统信息发现

Machete collects the hostname of the target computer.[1]

Enterprise T1049 系统网络连接发现

Machete uses the netsh wlan show networks mode=bssid and netsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.[1]

Enterprise T1016 系统网络配置发现

Machete collects the MAC address of the target computer and other network configuration information.[1][3]
Enterprise T1020 自动化渗出

Machete’s collected files are exfiltrated automatically to remote servers.[1]

Enterprise T1125 视频捕获

Machete takes photos from the computer’s web camera.[2][4][3]
Enterprise T1105 输入工具传输

Machete can download additional files for execution on the victim’s machine.[1]

Enterprise T1056 .001 输入捕获: Keylogging

Machete logs keystrokes from the victim’s machine.[1][2][4][3]
Enterprise T1057 进程发现

Machete has a component to check for running processes to look for web browsers.[1]

Enterprise T1041 通过C2信道渗出

Machete's collected data is exfiltrated over the same channel used for C2.[1]
Enterprise T1052 .001 通过物理介质渗出: Exfiltration over USB

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[1][2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[1]
Enterprise T1123 音频捕获

Machete captures audio from the computer’s microphone.[2][4][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

The different components of Machete are executed by Windows Task Scheduler.[1][2]
Enterprise T1029 预定传输

Machete sends stolen data to the C2 server every 10 minutes.[1]

Groups That Use This Software

ID Name References
G0095 Machete

[2][1]

References

  1. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  2. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  1. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  2. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.