Machete targets officials and military personnel from countries such as Ecuador and the information it obtains allow one state to take advantage over another at a time of negotiation, even monitoring the movement of its troops. Machete malware is carrying out cyber espionage aimed at government and military agencies in Ecuador, Colombia, Nicaragua, and Venezuela. It steals terabytes of information daily. It has no limits unless it is discovered by the victim and the action is stopped. Not only that, you can enable the phone's microphone and camera, and listen to all offline conversations.
How do we know?
To understand how malware works you have to go to the source... Its creator may never face it, but those who detected it for the first time in 2012 (it was made public in 2014) can. This is Dmitry Bestuzhev, director of Kaspersky's Global Research and Analysis Team for Latin America. He oversees the anti-malware research and analysis work; he produces reports and forecasts for the region; he is an expert in corporate security, cyber espionage, and complex targeted attacks. What do we need to know about Machete?
When who and where?
It's an operation originally discovered in Ecuador, in 2012. We made the public announcement in 2014 and discovered the operations of this Latin American group. We know that it operates from a neighboring country and that it still has Ecuador as one of its targets.
Machete has undergone different changes throughout history. Approximately between 2014 and 2016 all operations were disabled, however, by 2017 a restructuring of the group arises and launches new attacks that remain active to this day.
It is something well structured, that is, it has the support of a nation. Why? We can determine it by the years it remains active and by its objectives: theft of information that represents a state value.
What kind of information does it steal and what is its objective?
Anything that the actor of the attack wants to steal. There are no limits. All the information you need can be stolen in its entirety.
They are not credit cards, nor data convertible into easy money, but information that may be of interest to a State to take advantage of at a time of negotiation or troop movement.
How does Machete operate?
The attack vector is email. Emails are sent very selectively, not massively. The victim is carefully selected and trapped with highly interesting attachments. It can be, for example, the latest events that are happening in the press, then the name of the file is disguised and trapped.
Once the file is opened and the equipment is taken over, it is installed and reported to the command and control center. Thus, the attacker's hands receive preliminary information such as IP address, which network cards exist, and even which are the names of the wireless networks and to which the victim is connected. Then the operator behind it launches the second step: infiltration.
What are the basic recommendations?
For response centers: It is important to monitor not only the incoming traffic but also the traffic leaving your network. Identify suspicious domains, those domains are the command and control center. You have to work with the machines that are infected and do investigation work, which many times will need external help.
For possible victims: Officials and the military must remember that they are the target of targeted attacks. If they receive suspicious mail, even minimal, they will always be able to pick up the phone and call the recipient. This is human verification. If they have a response center, they can bounce the emails so they can make sure there is no danger.