Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Machete

Machete

Machete is a cyber espionage toolset used byMachete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[1][2][3]

ID: S0409
Associated Software: Pyark
Type: MALWARE
Platforms: Windows
Contributors: Matias Nicolas Porolli, ESET
Version: 2.2
Created: 13 September 2019
Last Modified: 06 June 2025

Associated Software Descriptions

NameDescription
Pyark

[3]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

Machete uses HTTP for Command & Control.[1][4][3]

.002Application Layer Protocol:File Transfer Protocols

Machete uses FTP for Command & Control.[1][4][3]

EnterpriseT1010Application Window Discovery

Machete saves the window names.[1]

EnterpriseT1560Archive Collected Data

Machete stores zipped files with profile data from installed web browsers.[1]

.003Archive via Custom Method

Machete's collected data is encrypted with AES before exfiltration.[1]

EnterpriseT1123Audio Capture

Machete captures audio from the computer’s microphone.[2][4][3]

EnterpriseT1020Automated Exfiltration

Machete’s collected files are exfiltrated automatically to remote servers.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Machete used the startup folder for persistence.[2][4]

EnterpriseT1217Browser Information Discovery

Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers.[1]

EnterpriseT1115Clipboard Data

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.[1][2]

EnterpriseT1059.006Command and Scripting Interpreter:Python

Machete is written in Python and is used in conjunction with additional Python scripts.[1][2][3]

EnterpriseT1555.003Credentials from Password Stores:Credentials from Web Browsers

Machete collects stored credentials from several web browsers.[1]

EnterpriseT1132.001Data Encoding:Standard Encoding

Machete has used base64 encoding.[2]

EnterpriseT1005Data from Local System

Machete searches the File system for files of interest.[1]

EnterpriseT1025Data from Removable Media

Machete can find, encrypt, and upload files from fixed and removable drives.[4][1]

EnterpriseT1074.001Data Staged:Local Data Staging

Machete stores files and logs in a folder on the local drive.[1][4]

EnterpriseT1140Deobfuscate/Decode Files or Information

Machete’s downloaded data is decrypted using AES.[1]

EnterpriseT1573.001Encrypted Channel:Symmetric Cryptography

Machete has used AES to exfiltrate documents.[1]

.002Encrypted Channel:Asymmetric Cryptography

Machete has used TLS-encrypted FTP to exfiltrate data.[4]

EnterpriseT1041Exfiltration Over C2 Channel

Machete's collected data is exfiltrated over the same channel used for C2.[1]

EnterpriseT1052.001Exfiltration Over Physical Medium:Exfiltration over USB

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[1][2]

EnterpriseT1008Fallback Channels

Machete has sent data over HTTP if FTP failed, and has also used a fallback server.[1]

EnterpriseT1083File and Directory Discovery

Machete produces file listings in order to search for files to be exfiltrated.[1][4][3]

EnterpriseT1564.001Hide Artifacts:Hidden Files and Directories

Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[1]

EnterpriseT1070.004Indicator Removal:File Deletion

Once a file is uploaded,Machete will delete it from the machine.[1]

EnterpriseT1105Ingress Tool Transfer

Machete can download additional files for execution on the victim’s machine.[1]

EnterpriseT1056.001Input Capture:Keylogging

Machete logs keystrokes from the victim’s machine.[1][2][4][3]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[1]

.005Masquerading:Match Legitimate Resource Name or Location

Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[1][2]

EnterpriseT1027.002Obfuscated Files or Information:Software Packing

Machete has been packed with NSIS.[1]

.010Obfuscated Files or Information:Command Obfuscation

Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation.Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[4][1]

EnterpriseT1120Peripheral Device Discovery

Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.[1]

EnterpriseT1057Process Discovery

Machete has a component to check for running processes to look for web browsers.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

The different components ofMachete are executed by Windows Task Scheduler.[1][2]

EnterpriseT1029Scheduled Transfer

Machete sends stolen data to the C2 server every 10 minutes.[1]

EnterpriseT1113Screen Capture

Machete captures screenshots.[1][2][4][3]

EnterpriseT1082System Information Discovery

Machete collects the hostname of the target computer.[1]

EnterpriseT1016System Network Configuration Discovery

Machete collects the MAC address of the target computer and other network configuration information.[1][3]

.002Wi-Fi Discovery

Machete uses thenetsh wlan show networks mode=bssid andnetsh wlan show interfaces commands to list all nearby WiFi networks and connected interfaces.[1]

EnterpriseT1552.004Unsecured Credentials:Private Keys

Machete has scanned and looked for cryptographic keys and certificate file extensions.[1]

EnterpriseT1125Video Capture

Machete takes photos from the computer’s web camera.[2][4][3]

Groups That Use This Software

IDNameReferences
G0095Machete

[2][1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp