In the rapid cycle rise and disappearance of malware campaigns, there are only a few campaigns that last for several years. One of these, is the El Machete malware, which was first discovered by Kaspersky, and is thought to have been active since 2010.
Cylance reported on recent activity from this campaign, and presented evidence that El Machete's targets include intelligence services, military, embassies and government institutions, mainly in South America and a few targets in Russia and Europe.
Research on the malware shows it to have keystroke logging, audio and video capture, plus the ability to capture screenshots, geolocation data, and other sensor inputs.
Distribution of the malware relies on phishing emails which include links to external ZIP or RAR archives. These contain an executable with the extension .SCR. Most of the SCR files found recently in the campaign were named in Spanish, for example LISTA DEL RADG N° 0931208.scr.
The malware's executables are written as Python scripts and are only compatible with the Python v2.7 interpreter. The delivery of data from the infected machine is performed over TCP protocol on port 21 (FTP), after the files were encrypted using a predefined AES-CBC encryption key.
Enabling the TSCritical targets in your user policy will add protection against El Machete to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account
If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our