{"id":10764,"date":"2022-06-09T22:41:01","date_gmt":"2022-06-09T19:41:01","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10764"},"modified":"2022-06-09T22:41:01","modified_gmt":"2022-06-09T19:41:01","slug":"windealer-man-on-the-side","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/windealer-man-on-the-side\/10764\/","title":{"rendered":"WinDealer: S\u0131rad\u0131\u015f\u0131 bir \u015fekilde da\u011f\u0131t\u0131lan casus yaz\u0131l\u0131m"},"content":{"rendered":"

Kaspersky uzmanlar\u0131 LuoYu APT grubu taraf\u0131ndan yarat\u0131lan WinDealer k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131 inceledi<\/a>. En ilgi \u00e7ekici bulgu, sald\u0131rganlar\u0131n man-on-the-side sald\u0131r\u0131 y\u00f6nteminde uzmanla\u015fm\u0131\u015f olmas\u0131 ve bunu hem k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 yaymak hem de vir\u00fcsl\u00fc bilgisayarlar\u0131 kontrol etmek i\u00e7in ba\u015far\u0131yla kullanmalar\u0131yd\u0131.<\/p>\n

Man-on-the-side sald\u0131r\u0131s\u0131 nedir? WinDealer operat\u00f6rleri taraf\u0131ndan nas\u0131l kullan\u0131l\u0131r?<\/h2>\n

Man-on-the-side sald\u0131r\u0131s\u0131, sald\u0131rgan\u0131n bir \u015fekilde ileti\u015fim kanal\u0131n\u0131 kontrol etti\u011fi ve bu sayede trafi\u011fi okuyup normal veri al\u0131\u015fveri\u015finin aras\u0131na rastgele mesajlar ekleyebildi\u011fi anlam\u0131na gelir.<\/p>\n

Bir \u00f6rnek verelim: Sald\u0131rganlar tamamen me\u015fru bir yaz\u0131l\u0131m\u0131n g\u00fcncelleme talebine m\u00fcdahale ederek g\u00fcncelleme dosyas\u0131n\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 bir dosyayla de\u011fi\u015ftiriyor. G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re WinDealer da bu \u015fekilde yay\u0131l\u0131yor.<\/p>\n

Sald\u0131rganlar benzer bir hileyle vir\u00fcsl\u00fc bilgisayardaki k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131ma komut g\u00f6nderiyor. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131n\u0131n C&C sunucusunu bulmas\u0131n\u0131 zorla\u015ft\u0131rmak i\u00e7in tam adresini i\u00e7ermiyor. Bunun yerine \u00f6nceden tan\u0131mlanm\u0131\u015f bir aral\u0131k i\u00e7inden rastgele bir IP adresine eri\u015fmeye \u00e7al\u0131\u015f\u0131yor. Ard\u0131ndan sald\u0131rganlar talebe m\u00fcdahale ediyor ve yan\u0131t veriyor. WinDealer bazen olmayan adreslere de eri\u015fmeye \u00e7al\u0131\u015f\u0131yor, fakat man-on-the-side y\u00f6ntemi sayesinde yine de bir yan\u0131t al\u0131yor.<\/p>\n

Uzmanlar\u0131m\u0131za g\u00f6re bu hileyi ba\u015far\u0131l\u0131 \u015fekilde kullanabilmek i\u00e7in sald\u0131rganlar\u0131n t\u00fcm alt a\u011f\u0131n y\u00f6nlendiricilerine s\u00fcrekli eri\u015fime ya da internet sa\u011flay\u0131c\u0131 d\u00fczeyinde baz\u0131 geli\u015fmi\u015f ara\u00e7lara ihtiyac\u0131 var.<\/p>\n

WinDealer kimleri hedef al\u0131yor?<\/h2>\n

WinDealer\u2019\u0131n hedeflerinin b\u00fcy\u00fck \u00e7o\u011funlu\u011fu \u00c7in\u2019de bulunan yabanc\u0131 diplomasi kurulu\u015flar\u0131, akademi d\u00fcnyas\u0131n\u0131n \u00fcyeleri ya da savunma, lojistik ve telekom\u00fcnikasyon alanlar\u0131ndan \u015firketler. Ne var ki LuoYu APT grubu bazen Avusturya, \u00c7ek Cumhuriyeti, Almanya, Hindistan, Rusya ve ABD gibi ba\u015fka \u00fclkelerdeki hedeflere de sald\u0131r\u0131yor. Son zamanlarda di\u011fer Do\u011fu Asya \u00fclkeleriyle ve bunlar\u0131n \u00c7in\u2019deki ofisleriyle de daha fazla ilgilenmeye ba\u015flad\u0131lar.<\/p>\n

WinDealer neler yapabilir?<\/h2>\n

Hem k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n hem de da\u011f\u0131t\u0131m mekanizmas\u0131n\u0131n ayr\u0131nt\u0131l\u0131 teknik analizini Securelist blogundaki yaz\u0131da<\/a> bulabilirsiniz. \u00d6zetlemek gerekirse WinDealer modern bir casus yaz\u0131l\u0131m\u0131n i\u015flevlerine sahip. \u015eunlar\u0131 yapabiliyor:<\/p>\n