Malware campaign targets users in Latin America
A modified version of a threat that first appeared in 2014 is successfully targeting users in Latin America according to the SPEAR research team at threat prevention specialist Cylance.
Attackers using the El Machete malware -- first identified by Kaspersky -- have moved to new C2 (command and control) infrastructure, based largely around dynamic DNS domains, in addition to making some minimal changes to the malware in order to evade signature-based detection.
SPEAR has been able to identify just over 300 unique victims over the past month as well as over 100GB worth of data that was successfully extracted and stored on one of the C2 servers. The bulk of the victims are based in Ecuador, Venezuela, Peru, Argentina, and Columbia. However, other victims have been identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and the Ukraine. Targets include a wide array of high-profile organizations, including intelligence services, military, utility providers, embassies, and government institutions.
An interesting aspect, according to researchers, is that the majority of countries that were most heavily targeted share a land border with Brazil, yet SPEAR didn't identify any Brazilian victims. The malware is delivered by phishing emails using links to external zip and RAR files containing code generated by the Nullsoft Scriptable Install System -- a technique seen in other recent attacks.
"El Machete will no doubt continue to be successful across most Latin American countries as they struggle to build up both their offensive and defensive cyber capabilities," the researchers conclude. "Many of the targeted countries were listed as customers in the leaks of both Finfisher and Hacking Team, which suggests they likely have yet to fully mature and develop their own internal cyber capabilities. In any case, whoever is behind El Machete is certainly reaping the rewards of building and deploying their own custom malware."
You can find more details of the threat on the Cylance blog.