A cyber-espionage group known as "Machete" has been observed stealing sensitive files from the Venezuelan military, according to an ESET report published today.
The group, known to have been active since 2010, has historically gone after a wide range of targets from all over the world. However, ESET said that starting with this year, Machete has primarily been focusing its hacking efforts on Venezuela.
During a period between March and May 2019, ESET said it saw at least 50 infected computers contacting the Machete command-and-control (C&C) servers.
Around 75% of these infections were located in Venezuela, and more than half of the infected computers belonged to the Venezuelan military.
"The attackers exfiltrate specialized file types used by geographic information systems (GIS) software," said ESET security researcher Matias Porolli. "The group is specifically interested in files that describe navigation routes and positioning using military grids."
Besides Venezuela, the Machete group has also targeted neighboring countries. ESET said the Ecuadorian military has also been a target as well.
Spear-phishing with radiograms
The group's tactics aren't even that original. They rely on the old tactic of sending spear-phishing emails with malicious files as attachments.
All cyber-espionage groups operate this way. The only novelty here, according to ESET, is that Machete uses real documents that have been stolen from previous attacks.
The group has a taste for using radiograms (radiographs), which are specific documents used for communications within militaries around the world.
The documents, when opened, will infect victims with the group's malware, a backdoor trojan. Per ESET, the group has been using a new version of its malware for over a year, different from the previous one seen in previous attacks, as documented by Kaspersky and Cylance in 2014 and 2017, respectively.
"The malware described by Kaspersky has many similarities to what we have seen this year," an ESET spokesperson told ZDNet in an email last week. "The malware that we describe in our paper is a new version and we are pretty certain that we are not talking about copycats here - it is indeed the same group."
"Previous versions of Machete had similar capabilities for stealing information and similar infrastructure, but differences in how the malware was delivered, in the code and also in the targets. It seems that previous versions of Machete were not so targeted in Latin America as they are now," they added.
ESET researchers said Machete's recent campaign is still active to this day, and the hackers have been very successful, exfiltrating gigabytes of confidential files each week.
Unknown if Machete is a state-sponsored APT
But while the group has left a trail of hacks all over the world since 2010, researchers are no closer now to identifying who is behind the Machete group.
In 2014, Kaspersky said Machete members appear to be Spanish-speaking individuals.
"Attribution is based on what we can actually observe," the ESET team told ZDNet. "Several hints and artifacts we saw during the course of our investigation lead us to support the claim that this is a Spanish-speaking group, as was said by other researchers in the past."
But Spanish-speaking nation-state hacker groups have not been seen before. Most are cybercrime-focused.
"Unfortunately, we cannot know if they are a state-sponsored group or if they are an independent group selling information to the highest bidder," ESET told us.
Related malware and cybercrime coverage:
- Louisiana governor declares state emergency after local ransomware outbreak
- Development stops on Empire framework after project reaches its goal
- Major card breach alert in South Korea
- New Windows malware sets up proxies on your PC to relay malicious traffic
- GermanWiper ransomware hits Germany hard, destroys files, asks for ransom
- No More Ransom project has prevented ransomware profits of at least $108 million
- Malware lingers in SMBs for an average of 800 days before discovery TechRepublic
- US mayors resolve not to pay hackers over ransomware attacks CNET