Introduction
Machete is an info-stealing malware that can harvest user credentials, chat logs, screenshots, webcam pictures, geolocation, and perform keylogging. It can also copy files to a USB device and take control of the clipboard to exfiltrate information.
Machete is typically distributed via social engineering techniques and malicious websites. The user is enticed into opening the original executable under the premise that they are opening a PowerPoint presentation. This is in fact a Nullsoft installer SFX.
The Powerpoint can range from illicit images to cleverly crafted images that are meant to represent government/ military documentation. The most common names being: "Hermosa xxx,pps,rar", "Suntzu.rar", and "Hot brazilian XXX.rar". Based on language found within the file along with open source information the intended targets appear to be Spanish speaking nations across Latin America. The payload is typically packaged as part of a PowerPoint presentation with Nullsoft installer SFX. The executables within the SFX are compiled using Python.
Technical Analysis
Static Analysis Pre/Post SFX Extraction
The original executable is disguised as a document; however, it is an SFX Nullsoft installation file:
Figure 1: Original SFX disguised as a document
Once extracted, the following folders are opened in the working directory, which also contains NullSoft SFX files:
Figure 2: Phase 2 of SFX
Figure 3: Phase 3 of SFX
The fourth extraction creates a folder containing a PowerPoint presentation file and another SFX file disguised as a Java executable:
Figure 4: Phase 4 of extraction, revealing two files
The JavaAlq.exe file contains a multitude of java executables along with a series of Python libraries:
Figure 5: JavaAlq.exe post-extraction
Each of the Java executables contained within the original JavaAlq.exe is compiled with a Python script. Each one contains a large volume of Python libraries necessary for the executable to be compiled and run. These Java executables all contain a payload component:
Figure 6: Python-script resource section found in each Java executable
The raw script can be extracted from the executables using a Py2Exe Binary Editor:
Figure 7: Java.exe PythonScript being dumped
Once this Python script has been dumped it needs to be converted into a Python file using an open source Python script extractor:
Figure 8: PythonScript extractor
The final step involved in producing the malicious script is to decompile the Python script. This is done with Easy Python Decompiler:
Figure 9: Decompiled PythonScript for Java.exe
Malicious Payloads
Java.exe
The keylogging functionality contained within the payload of Java.exe is shown in Figure 10. The standard ascii keys are listed with their key IDs. The hook for the keyboard is also set within this script:
Figure 10: Key IDs used to log keystrokes
Figure 11: Keyboard hook set
Evidence of connection to the remote server contained within java.exe is shown in Figure 12:
Figure 12: FTP connection to remote server 2
Document Type Check JavaUE.exe
Contained within the payload of JavaUE.exe is a document type check of a target directory:
Figure 13: Checking for document extension types in the target directory
JavaK.exe Payload Script
Figure 14 illustrates the webcam information being sent to a remote server. Interestingly, it sets the resolution at which to capture information to a low resolution in order to expedite exfiltration of images:
Figure 14: Webcam exfiltration
JavaTM.exe Payload Script
JavaS.exe is run as the last process. It terminates the rest of the spawned processes then deletes them from the victim machine:
Figure 15: Deletion of Java files and termination of processes
Dynamic Analysis
When the script is executed, a series of files are created along with the Java labelled executables. A crypo.cipher.AES Python file is dropped which is used to encrypt the exfiltrated data sent to the FTP server. It is also used to assign an encrypted unique identifier to each victim machine. The other files installed are Python libraries necessary for the executable to run its payload. The system information text file is created to record data from the victim machine.
Conclusion
Blackberry Cylance uses artificial intelligence-based agents trained for threat detection on millions of both safe and unsafe files. Our automated security agents block Machete based on countless file attributes and malicious behaviors instead of relying on a specific file signature.
Blackberry Cylance, which offers a predictive advantage over zero-day threats, is trained on and effective against both new and legacy cyberattacks. If you are a Blackberry Cylance customer using CylancePROTECT®, you are protected from Machete by our machine learning models.
For more information, visit https://www.cylance.com.
APPENDIX
Indicators of Compromise (IoCs)
Indicator | Type | Description |
C:\Windows\system32\cmd.exe /c SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users\%USERNAME%\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_up, null". | Command-line | Scheduled task used to launch JavaH.exe as a service |
C:\Users\%USERNAME%\AppData\Roaming\java | Path | Install folder |
C:\Users\%USERNAME%\AppData\Roaming\Bin\Jre6\ | Path | Install folder |
C:\Users\%USERNAME%\AppData\Roaming\MicroDes | Path | Install folder |
caso.txt | File | Present in install folder |
Java.exe | File | Present in install folder |
JavaD.exe | File | Present in install folder |
JavaH.exe | File | Present in install folder |
JavaK.exe | File | Present in install folder |
JavaS.exe | File | Present in install folder |
JavaTM.exe | File | Present in install folder |
JavaUe.exe | File | Present in install folder |
JavaAlq.exe | File | Present in install folder |
Ujavap.exe | File | Present in install folder |
File Information
SHA256 | bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69 |
Type | Win32 EXE NullSoft SFX |
Size | 4830 KB |
Timestamp | 2008-08-16 20:26:10 (Time-stomped) |
ITW names | Machete, Trojan/Spy.Python.Ragua |
