{"id":10384,"date":"2021-12-22T13:51:53","date_gmt":"2021-12-22T10:51:53","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10384"},"modified":"2021-12-22T13:51:53","modified_gmt":"2021-12-22T10:51:53","slug":"pseudomanuscrypt-industrial-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/pseudomanuscrypt-industrial-malware\/10384\/","title":{"rendered":"PseudoManuscrypt&#8217;in standart d\u0131\u015f\u0131 sald\u0131r\u0131s\u0131"},"content":{"rendered":"<p>Haziran 2021\u2019de uzmanlar\u0131m\u0131z, PseudoManuscrypt ad\u0131nda yeni bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ke\u015ffetti. PseudoManuscrypt\u2019in y\u00f6ntemleri, bir casus yaz\u0131l\u0131m i\u00e7in olduk\u00e7a standart. Bir tu\u015f kaydedici i\u015flevi g\u00f6r\u00fcyor, kurulan VPN ba\u011flant\u0131lar\u0131 ve kay\u0131tl\u0131 \u015fifreler hakk\u0131nda bilgi topluyor, panoya kopyalanan i\u00e7eri\u011fi \u00e7al\u0131yor, bilgisayardaki yerle\u015fik mikrofonu (varsa) kullanarak ses kaydediyor ve g\u00f6r\u00fcnt\u00fc al\u0131yor. Casus yaz\u0131l\u0131m\u0131n farkl\u0131 biri varyant\u0131 ayr\u0131ca QQ ve WeChat mesajla\u015fma uygulamalar\u0131na ait kimlik bilgilerini \u00e7alabiliyor, ekran g\u00f6r\u00fcnt\u00fcs\u00fcn\u00fc video olarak kaydedebiliyor ve g\u00fcvenlik \u00e7\u00f6z\u00fcmlerini devre d\u0131\u015f\u0131 b\u0131rakmaya \u00e7al\u0131\u015fan bir i\u015flevi bulunuyor. Daha sonra toplad\u0131\u011f\u0131 verileri sald\u0131rganlar\u0131n sunucusuna g\u00f6nderiyor.<\/p>\n<p>Sald\u0131r\u0131n\u0131n teknik ayr\u0131nt\u0131lar\u0131 ve risk g\u00f6stergeleri i\u00e7in <a href=\"https:\/\/ics-cert.kaspersky.com\/reports\/2021\/12\/16\/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign\/\" target=\"_blank\" rel=\"noopener\">ICS CERT raporumuza<\/a> g\u00f6z at\u0131n.<\/p>\n<h2>Casus yaz\u0131l\u0131m\u0131n ismi nereden geliyor?<\/h2>\n<p>Uzmanlar\u0131m\u0131z, yeni sald\u0131r\u0131 ile daha \u00f6nceden bilinen <a href=\"https:\/\/ics-cert.kaspersky.com\/reports\/2021\/02\/25\/lazarus-targets-defense-industry-with-threatneedle\/\" target=\"_blank\" rel=\"noopener\">Manuscrypt<\/a> sald\u0131r\u0131s\u0131 aras\u0131nda baz\u0131 benzerlikler bulsa da yap\u0131lan analizler, tamamen farkl\u0131 bir akt\u00f6r\u00fcn, APT41 grubunun daha \u00f6nce d\u00fczenledi\u011fi sald\u0131r\u0131larda, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m kodunun bir k\u0131sm\u0131n\u0131 kulland\u0131\u011f\u0131n\u0131 ortaya koydu. Yeni sald\u0131r\u0131n\u0131n sorumlulu\u011funun kime ait oldu\u011funu hen\u00fcz belirleyemedik, bu y\u00fczden \u015fimdilik PseudoManuscrypt diyoruz.<\/p>\n<h2>PseudoManuscrypt bir sisteme nas\u0131l bula\u015f\u0131yor?<\/h2>\n<p>Casus yaz\u0131l\u0131m\u0131n bir sisteme bula\u015fmas\u0131 olduk\u00e7a karma\u015f\u0131k bir olaylar zincirine dayan\u0131yor. Bir bilgisayara d\u00fczenlenen sald\u0131r\u0131, genellikle kullan\u0131c\u0131, pop\u00fcler yaz\u0131l\u0131mlar\u0131n korsan s\u00fcr\u00fcmleri gibi haz\u0131rlanm\u0131\u015f k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131l\u0131m\u0131 indirip \u00e7al\u0131\u015ft\u0131rmas\u0131yla ba\u015fl\u0131yor.<\/p>\n<p>\u0130nternette korsan bir yaz\u0131l\u0131m arayarak PseudoManuscrypt\u2019i bulabilirsiniz. Pop\u00fcler aramalarla e\u015fle\u015fen k\u00f6t\u00fc ama\u00e7l\u0131 kod da\u011f\u0131tan internet siteleri, arama motoru sonu\u00e7lar\u0131nda \u00fcst s\u0131ralarda yer al\u0131yor; g\u00f6r\u00fcn\u00fc\u015fe g\u00f6re arama sonu\u00e7lar\u0131ndaki s\u0131ralama, sald\u0131rganlar\u0131n takip etti\u011fi bir \u015fey.<\/p>\n<p>Buradan end\u00fcstriyel sistemlere bula\u015fmak i\u00e7in neden bu kadar \u00e7ok giri\u015fimde bulunuldu\u011funu a\u00e7\u0131k\u00e7a g\u00f6rebilirsiniz. Sald\u0131rganlar, pop\u00fcler yaz\u0131l\u0131mlar gibi g\u00f6r\u00fcnen k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar (ofis paketleri, g\u00fcvenlik \u00e7\u00f6z\u00fcmleri, navigasyon sistemleri ve 3D birinci \u015fah\u0131s ni\u015fanc\u0131 oyunlar\u0131 (first-person shooter) gibi) sunman\u0131n yan\u0131 s\u0131ra, profesyonel yaz\u0131l\u0131mlara y\u00f6nelik, ModBus kullanarak programlanabilir mant\u0131k denetleyicileriyle (PLC) etkile\u015fime girmek i\u00e7in belirli yard\u0131mc\u0131 programlar da dahil olmak \u00fczere sahte y\u00fckleme paketleri de sunuyorlar. Sonu\u00e7: Anormal derecede y\u00fcksek say\u0131da vir\u00fcsl\u00fc end\u00fcstriyel kontrol sistemi (ICS) bilgisayar\u0131 (toplam i\u00e7indeki pay\u0131 %7,2).<\/p>\n<div id=\"attachment_10386\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-10386\" class=\"wp-image-10386 size-large\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2021\/12\/22135008\/pseudomanuscrypt-industrial-malware-search-results-1024x838.png\" alt=\"\" width=\"1024\" height=\"838\"><p id=\"caption-attachment-10386\" class=\"wp-caption-text\">Korsan yaz\u0131l\u0131mlara ili\u015fkin arama sonu\u00e7lar\u0131 PseudoManuscrypt\u2019e arama sonucunda \u00e7\u0131kan ilk ba\u011flant\u0131dan ula\u015f\u0131labilir. <a href=\"https:\/\/ics-cert.kaspersky.ru\/reports\/2021\/12\/16\/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign\/\" target=\"_blank\" rel=\"noopener\">Kaynak<\/a>.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Yukar\u0131daki ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde yer alan \u00f6rnekte, sistem y\u00f6neticileri ve a\u011f m\u00fchendislerine y\u00f6nelik yaz\u0131l\u0131m yer al\u0131yor. Teoride b\u00f6yle bir sald\u0131r\u0131 vekt\u00f6r\u00fc, sald\u0131rganlar\u0131n \u015firketin altyap\u0131s\u0131na tam eri\u015fim elde etmesini sa\u011flayabilir.<\/p>\n<p>Sald\u0131rganlar ayr\u0131ca, PseudoManuscrypt\u2019in yay\u0131lmas\u0131 i\u00e7in di\u011fer siber su\u00e7lulara \u00f6deme yap\u0131ld\u0131\u011f\u0131 Hizmet Olarak K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m (MaaS) da\u011f\u0131t\u0131m mekanizmas\u0131n\u0131 da kullan\u0131yor. Bu uygulama, uzmanlar\u0131m\u0131z\u0131n MaaS platformunu analiz ederken bulduklar\u0131 ilgin\u00e7 bir \u00f6zelli\u011fin ortaya \u00e7\u0131kmas\u0131na neden oldu: Bazen PseudoManuscrypt, kurban\u0131n y\u00fckledi\u011fi tek bir paket i\u00e7inde di\u011fer k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlarla birlikte geliyordu. PseudoManuscrypt\u2019in amac\u0131 casusluk olsa da di\u011fer k\u00f6t\u00fc ama\u00e7l\u0131 programlar, para s\u0131zd\u0131rmak i\u00e7in veri \u015fifreleme gibi ba\u015fka hedeflere y\u00f6nelirler.<\/p>\n<h2>PseudoManuscrypt kimleri hedefliyor?<\/h2>\n<p>PseudoManuscrypt\u2019in en s\u0131k g\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fclkeler Rusya, Hindistan, Brezilya, Vietnam ve Endonezya\u2019da olarak kar\u015f\u0131m\u0131za \u00e7\u0131k\u0131yor. K\u00f6t\u00fc ama\u00e7l\u0131 kod \u00e7al\u0131\u015ft\u0131rmaya y\u00f6nelik \u00e7ok say\u0131da giri\u015fimin i\u00e7inde end\u00fcstriyel \u015firketlerdeki kullan\u0131c\u0131lar \u00f6nemli bir paya sahip. Bu sekt\u00f6rdeki ma\u011fdurlar aras\u0131nda bina otomasyon sistemi y\u00f6neticileri, enerji \u015firketleri, \u00fcreticiler, in\u015faat \u015firketleri ve hatta su ar\u0131tma tesislerinin hizmet sa\u011flay\u0131c\u0131lar\u0131 yer al\u0131yor. Ayr\u0131ca etkilenenler aras\u0131nda, m\u00fchendislik s\u00fcre\u00e7lerinde ve end\u00fcstriyel \u015firketlerde yeni \u00fcr\u00fcnlerin \u00fcretiminde kullan\u0131lan \u00e7ok say\u0131da bilgisayar bulunuyor.<\/p>\n<h2>PseudoManuscrypt\u2019e kar\u015f\u0131 uygulanacak savunma y\u00f6ntemleri<\/h2>\n<p>PseudoManuscrypt\u2019e kar\u015f\u0131 koruma sa\u011flamak i\u00e7in, g\u00fcvenilir ve d\u00fczenli olarak g\u00fcncellenen koruma \u00e7\u00f6z\u00fcmlerine sahip olman\u0131z ve bu \u00e7\u00f6z\u00fcmlerin \u015firketteki sistemlerinin tamam\u0131na kurulmu\u015f olmas\u0131 gerekiyor. Buna ek olarak, korumay\u0131 devre d\u0131\u015f\u0131 b\u0131rakmay\u0131 zorla\u015ft\u0131ran politikalar olu\u015fturman\u0131z\u0131 \u00f6neriyoruz.<\/p>\n<p>End\u00fcstrideki BT sistemleri i\u00e7in, hem bilgisayarlar\u0131 koruyan (\u00f6zelle\u015ftirilmi\u015f olanlar dahil) hem de belirli protokolleri kullanarak veri aktar\u0131mlar\u0131n\u0131 izleyen <a href=\"https:\/\/www.kaspersky.com.tr\/enterprise-security\/industrial?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Industrial CyberSecurity<\/a> ad\u0131nda \u00f6zel bir \u00e7\u00f6z\u00fcm sunuyoruz.<\/p>\n<p>Ayr\u0131ca, siber g\u00fcvenlik riskleri konusunda \u00e7al\u0131\u015fanlar\u0131n g\u00fcvenlik bilincinin art\u0131r\u0131lmas\u0131n\u0131n \u00f6nemini de unutmay\u0131n. Zekice tasarlanm\u0131\u015f kimlik av\u0131 sald\u0131r\u0131lar\u0131n\u0131n ya\u015fanmas\u0131 ihtimalini tamamen ortadan kald\u0131ramazs\u0131n\u0131z, ancak personelin tetikte kalmas\u0131na yard\u0131mc\u0131 olabilir ve ayn\u0131 zamanda end\u00fcstriyel sistemlere eri\u015fimi olan bilgisayarlara yetkisiz (ve \u00f6zellikle korsan) yaz\u0131l\u0131m y\u00fckleme tehlikesi konusunda onlar\u0131 e\u011fitebilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bir siber sald\u0131r\u0131, beklenmedik \u015fekilde \u00e7ok say\u0131da end\u00fcstriyel kontrol sistemini etkiledi.<\/p>\n","protected":false},"author":665,"featured_media":10385,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[1900,1326,965],"class_list":{"0":"post-10384","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-casus-yazilim","11":"tag-endustriyel-siber-guvenlik","12":"tag-endustriyel-sistemler"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/pseudomanuscrypt-industrial-malware\/10384\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/pseudomanuscrypt-industrial-malware\/23759\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/pseudomanuscrypt-industrial-malware\/19258\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/pseudomanuscrypt-industrial-malware\/25977\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/pseudomanuscrypt-industrial-malware\/23955\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/pseudomanuscrypt-industrial-malware\/23625\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/pseudomanuscrypt-industrial-malware\/26596\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/pseudomanuscrypt-industrial-malware\/26204\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/pseudomanuscrypt-industrial-malware\/32108\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/pseudomanuscrypt-industrial-malware\/43177\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/pseudomanuscrypt-industrial-malware\/18302\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/pseudomanuscrypt-industrial-malware\/18691\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/pseudomanuscrypt-industrial-malware\/15630\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/pseudomanuscrypt-industrial-malware\/27880\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/pseudomanuscrypt-industrial-malware\/32236\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/pseudomanuscrypt-industrial-malware\/27948\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/pseudomanuscrypt-industrial-malware\/24697\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/pseudomanuscrypt-industrial-malware\/30119\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/pseudomanuscrypt-industrial-malware\/29910\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/endustriyel-siber-guvenlik\/","name":"End\u00fcstriyel siber g\u00fcvenlik"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10384"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10384\/revisions"}],"predecessor-version":[{"id":10387,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10384\/revisions\/10387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10385"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}