Machete Trojan

First observed in early 2019, Machete (also known as Ragua) is a Python-based information stealing trojan. Originally targeted at Spanish-speaking Latin American countries, it has begun to appear in campaigns in Europe and North America.

Threat ID:: CC-3302
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 4 December 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Machete is delivered via a Nullsoft SFX package disguised as a Microsoft PowerPoint file (PPTX), which is itself distributed through spam or phishing campaigns. When opened, this package will drop several Java files containing the Machete payload, along with a Python script to execute them.

Once installed, Machete will attempt to collect user and system information before sending it to a command and control server. It then awaits further commands, which include keylogging, video and audio capture, and process termination.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

Filenames

caso.txt
Java.exe - keylogger
JavaAlq.exe
JavaD.exe
JavaH.exe
JavaK.exe - webcam image capture
JavaS.exe
JavaTM.exe - process terminator
JavaUe.exe - document directory checker
Ujavap.exe

Filepaths

C:\Users%USERNAME%\AppData\Roaming\java
C:\Users%USERNAME%\AppData\Roaming\Bin\Jre6\
C:\Users%USERNAME%\AppData\Roaming\MicroDes

Commands

C:\Windows\system32\cmd.exe /c SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users%USERNAME%\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_up, null"

SHA256 File Hashes

bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69

Last edited: 29 June 2021 11:57 am