JUST RELEASED: ATT&CK for Industrial Control Systems

Machete

Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.[1][2][3]

ID: G0095
Associated Groups: El Machete
Contributors: Matias Nicolas Porolli, ESET
Version: 1.0
Created: 13 September 2019
Last Modified: 15 October 2019

Associated Group Descriptions

Name Description
El Machete [1]

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

Machete used TCP port 21 for C2.[1]

Enterprise T1025 Data from Removable Media

Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives.[1]

Enterprise T1074 Data Staged

Machete created their own directories to drop files into.[1]

Enterprise T1027 Obfuscated Files or Information

Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Machete used the startup folder for persistence.[1]

Enterprise T1053 Scheduled Task

Machete used scheduled tasks for persistence.[1]

Enterprise T1064 Scripting

Machete used multiple compiled Python scripts on the victim’s system.[1]

Enterprise T1193 Spearphishing Attachment

Machete has delivered spearphishing emails that contain a zipped file with malicious contents.[2][3]

Enterprise T1192 Spearphishing Link

Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[1][3]

Enterprise T1071 Standard Application Layer Protocol

Machete malware used FTP and Python’s urllib library to make HTTP requests to the C2 server.[1]

Enterprise T1032 Standard Cryptographic Protocol

Machete has relied on TLS-encrypted FTP to transfer data out of target environments. [1]

Enterprise T1204 User Execution

Machete has has relied on users opening malicious links or attachments delivered through spearphishing to execute malware.[1][2][3]

Software

ID Name References Techniques
S0409 Machete [2] [3] Application Window Discovery, Audio Capture, Automated Exfiltration, Browser Bookmark Discovery, Clipboard Data, Credentials from Web Browsers, Credentials in Files, Data Compressed, Data Encrypted, Data from Local System, Data from Removable Media, Data Staged, Deobfuscate/Decode Files or Information, Exfiltration Over Command and Control Channel, Exfiltration Over Physical Medium, Fallback Channels, File and Directory Discovery, File Deletion, Hidden Files and Directories, Input Capture, Masquerading, Obfuscated Files or Information, Peripheral Device Discovery, Private Keys, Process Discovery, Remote File Copy, Scheduled Task, Scheduled Transfer, Screen Capture, Scripting, Software Packing, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Video Capture

References