Most victims have been recorded in Venezuela and Ecuador

Aug 22, 2014 08:23 GMT  ·  By

A new cyber-espionage campaign has been discovered, aiming at intelligence services, military organizations, embassies and government institutions in Spanish-speaking countries.

Leveraging a piece of malware that looks like a Java-related application and which Kaspersky dubbed Machete, the actors behind the campaign rely on targeted attacks to infect the victim’s computer and turn it into a spying tool.

Apart from offering access to the files on the machine and exfiltrating them to a remote server, Machete can be used for logging keystrokes, capturing audio through the computer’s microphone, grabbing screenshots, getting the geographical location of the system and snapping pictures with the webcam.

The threat actors made sure that if the connection to the command and control server is not possible, the data collected by the malware can be obtained through physical access. As such, Machete can copy files to a special USB storage device, as soon as it is hooked to the computer.

Security researchers from Kaspersky analyzed the threat and determined that it has been used for at least four years, benefiting from improvements two years ago.

“‘Machete’ is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still ‘active’,” the experts say.

The largest amount of victims appears to be in Venezuela (372), followed by Ecuador (282) and Colombia (85). However, other countries are also affected, as 45 victims have been discovered in Russia, where the target seems to be an embassy of a Latin American country.

Distribution of the malware is done through spear-phishing campaigns and through a fake website, relying solely on social engineering techniques. No zero-day vulnerabilities are exploited by the attackers.

Security researchers said that at one point the threat actors ran a dedicated spear-phishing campaigns that used PowerPoint presentation files to deliver the malware. Some of the items purported to be SunTzu’s “The Art of War,” while the names of others suggested images of great-looking women.

According to Kaspersky, the “files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.”

For easier coding, the malware authors used Python and embedded all the necessary libraries in the Windows executables, along with the PowerPoint presentation file that is displayed while installation of the threat is carried out.

Kaspersky discovered eight domains used for command and control, and managed to sinkhole two of them.

The company believes that this is not the only targeted attack running in Latin America and that parallel operation are also ongoing in other related regions as well.