win.machete (Back to overview)


aka: El Machete

According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.
GoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.
Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.
The GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.

2019-11-27ThreatVectorAdam Martin
@online{martin:20191127:threat:e91b6bf, author = {Adam Martin}, title = {{Threat Spotlight: Machete Info-Stealer}}, date = {2019-11-27}, organization = {ThreatVector}, url = {}, language = {English}, urldate = {2020-01-08} } Threat Spotlight: Machete Info-Stealer
2019-09-12Virus BulletinVeronica Valeros, Maria Rigaki, Kamila Babayeva, Sebastian García
@techreport{valeros:20190912:study:7d8a8a6, author = {Veronica Valeros and Maria Rigaki and Kamila Babayeva and Sebastian García}, title = {{A STUDY OF MACHETE CYBER ESPIONAGE OPERATIONS IN LATIN AMERICA}}, date = {2019-09-12}, institution = {Virus Bulletin}, url = {}, language = {English}, urldate = {2019-11-29} } A STUDY OF MACHETE CYBER ESPIONAGE OPERATIONS IN LATIN AMERICA
2019-08-05ESET ResearchESET Research
@online{research:20190805:sharpening:878343f, author = {ESET Research}, title = {{Sharpening the Machete}}, date = {2019-08-05}, organization = {ESET Research}, url = {}, language = {English}, urldate = {2019-11-14} } Sharpening the Machete
2017-06-26Medium verovalerosVeronica Valeros
@online{valeros:20170626:el:4de6e36, author = {Veronica Valeros}, title = {{El Machete — What do we know about the APT targeting Latin America?}}, date = {2017-06-26}, organization = {Medium verovaleros}, url = {}, language = {English}, urldate = {2019-11-25} } El Machete — What do we know about the APT targeting Latin America?
2017-03-22CylanceCylance Threat Research Team
@online{team:20170322:el:59e85c5, author = {Cylance Threat Research Team}, title = {{El Machete's Malware Attacks Cut Through LATAM}}, date = {2017-03-22}, organization = {Cylance}, url = {}, language = {English}, urldate = {2020-01-07} } El Machete's Malware Attacks Cut Through LATAM
Machete El Machete
2014-08-20Kaspersky LabsGReAT
@online{great:20140820:el:c4534ec, author = {GReAT}, title = {{“El Machete”}}, date = {2014-08-20}, organization = {Kaspersky Labs}, url = {}, language = {English}, urldate = {2019-12-20} } “El Machete”
Machete El Machete

There is no Yara-Signature yet.