{"id":10923,"date":"2022-08-12T11:33:20","date_gmt":"2022-08-12T08:33:20","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10923"},"modified":"2022-08-12T11:33:20","modified_gmt":"2022-08-12T08:33:20","slug":"andariel-dtrack-maui","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/andariel-dtrack-maui\/10923\/","title":{"rendered":"Andariel, DTrack ve Maui ile sald\u0131r\u0131yor"},"content":{"rendered":"<p>Uzmanlar\u0131m\u0131z, Lazarus APT grubunun alt grubu oldu\u011fu d\u00fc\u015f\u00fcn\u00fclen Andariel\u2019in aktivitelerini ara\u015ft\u0131rd\u0131. Siber su\u00e7lular d\u00fcnya \u00e7ap\u0131nda i\u015fletmelere sald\u0131rmak i\u00e7in DTrack k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131 ve Maui fidye yaz\u0131l\u0131m\u0131n\u0131 kullan\u0131yor. Lazarus gibi bu grup da finansal kazan\u00e7 elde etmek i\u00e7in sald\u0131r\u0131yor. Bu sefer fidye istemeyi tercih ediyorlar.<\/p>\n<h2>Andariel sald\u0131r\u0131lar\u0131n\u0131n hedefleri<\/h2>\n<p>Uzmanlar\u0131m\u0131z Andariel grubunun belirli bir end\u00fcstriye odaklanmak yerine \u00f6n\u00fcne gelen \u015firkete sald\u0131rd\u0131\u011f\u0131 sonucuna vard\u0131. ABD Siber G\u00fcvenlik ve Altyap\u0131 G\u00fcvenli\u011fi Ajans\u0131 (CISA) Haziran\u2019da Maui fidye yaz\u0131l\u0131m\u0131n\u0131n a\u011f\u0131rl\u0131kl\u0131 olarak ABD sa\u011fl\u0131k sekt\u00f6r\u00fcnden \u015firketleri ve devlet kurumlar\u0131n\u0131 hedef ald\u0131\u011f\u0131n\u0131 <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-187a\" target=\"_blank\" rel=\"noopener nofollow\">bildirmi\u015fti<\/a>. Ancak ekibimiz Japonya\u2019da en az bir konut \u015firketine d\u00fczenlenen sald\u0131r\u0131n\u0131n yan\u0131 s\u0131ra Hindistan, Vietnam ve Rusya\u2019dan bir\u00e7ok kurban tespit etti.<\/p>\n<h2>Andariel ara\u00e7lar\u0131<\/h2>\n<p>Andariel grubunun ba\u015fl\u0131ca arac\u0131 uzun zamand\u0131r bilinen DTrack k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131. DTrack kurban hakk\u0131nda bilgi toplay\u0131p uzaktaki bir ana bilgisayara g\u00f6nderiyor. DTrack\u2019in di\u011fer bir\u00e7ok verinin yan\u0131nda taray\u0131c\u0131 ge\u00e7mi\u015fini de topluyor ve ayr\u0131 bir dosyaya kaydediyor. Andariel sald\u0131r\u0131lar\u0131nda kullan\u0131lan varyant yaln\u0131zca toplanan bilgileri HTTP \u00fczerinden siber su\u00e7lular\u0131n sunucusuna g\u00f6ndermekle kalm\u0131yor, ayn\u0131 zamanda kurban\u0131n a\u011f\u0131nda uzak bir ana bilgisayarda da saklayabiliyor.<\/p>\n<p>Sald\u0131rganlar i\u015fe yarar veriler buldu\u011funda i\u015fin i\u00e7ine Maui fidye yaz\u0131l\u0131m\u0131 giriyor. Bu yaz\u0131l\u0131m, sald\u0131r\u0131ya u\u011frayan ana bilgisayarlarda genellikle DTrack k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n aktive olmas\u0131ndan 10 saat sonra tespit ediliyor. Maui numunelerini <a href=\"https:\/\/stairwell.com\/wp-content\/uploads\/2022\/07\/Stairwell-Threat-Report-Maui-Ransomware.pdf\" target=\"_blank\" rel=\"noopener nofollow\">inceleyen<\/a> Staiwell\u2019deki meslekta\u015flar\u0131m\u0131z, fidye yaz\u0131l\u0131m\u0131n\u0131n operat\u00f6rler taraf\u0131ndan manuel olarak kontrol edildi\u011fini, yani hangi verilerin \u015fifrelenece\u011fini operat\u00f6rlerin belirledi\u011fini tespit etti.<\/p>\n<p>Sald\u0131rganlar\u0131n kulland\u0131\u011f\u0131 bir di\u011fer ara\u00e7 da 3Proxy gibi g\u00f6r\u00fcn\u00fcyor. Yasal ve \u00fccretsiz olan bu platformlar aras\u0131 proxy sunucusu b\u00fcy\u00fck olas\u0131l\u0131kla kompakt boyutundan \u00f6t\u00fcr\u00fc (yaln\u0131zca birka\u00e7 y\u00fcz kilobayt) sald\u0131rganlar\u0131n ilgisini \u00e7ekiyor. Bu t\u00fcr bir ara\u00e7, g\u00fcvenli\u011fi ihlal edilen bir bilgisayarla uzaktan ba\u011flant\u0131y\u0131 s\u00fcrd\u00fcrmek i\u00e7in kullan\u0131labiliyor.<\/p>\n<h2>Andariel k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131 nas\u0131l yay\u0131yor<\/h2>\n<p>Siber su\u00e7lular halka a\u00e7\u0131k \u00e7evrimi\u00e7i hizmetlerin yamas\u0131z s\u00fcr\u00fcmlerini k\u00f6t\u00fcye kullan\u0131yor. Vakalardan birinde k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bir HFS\u2019ten (HTTP dosya sunucusu) indirilmi\u015f. Sald\u0131rganlar uzaktaki bir sunucudan bir Powershell komut dosyas\u0131 y\u00fcr\u00fctebilmelerini sa\u011flayan bilinmeyen bir k\u00f6t\u00fcye kullan\u0131mdan faydalanm\u0131\u015flar. Bir ba\u015fkas\u0131nda ise CVE-2017-10271 g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 k\u00f6t\u00fcye kullanarak bir WebLogic sunucusunun g\u00fcvenli\u011fini ihlal etmeyi ba\u015farm\u0131\u015flar, bu da nihayetinde bir komut dosyas\u0131 y\u00fcr\u00fctebilmelerine olanak vermi\u015f.<\/p>\n<p>Sald\u0131r\u0131n\u0131n ve kullan\u0131lan ara\u00e7lar\u0131n daha detayl\u0131 teknik a\u00e7\u0131klamas\u0131 ve g\u00fcvenlik ihlali g\u00f6stergeleri i\u00e7in <a href=\"https:\/\/securelist.com\/andariel-deploys-dtrack-and-maui-ransomware\/107063\/\" target=\"_blank\" rel=\"noopener\">Securelist g\u00f6nderimizi<\/a> inceleyebilirsiniz.<\/p>\n<h2>Kendinizi koruman\u0131n yollar\u0131<\/h2>\n<p>\u00d6ncelikle sunucular da dahil t\u00fcm kurumsal cihazlar\u0131n <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">g\u00fc\u00e7l\u00fc g\u00fcvenlik \u00e7\u00f6z\u00fcmleriyle<\/a> korundu\u011fundan emin olun. Buna ek olarak, ger\u00e7ekten vir\u00fcs bula\u015fmas\u0131 halinde ba\u015fvurmak \u00fczere \u00f6ncesinde <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/anti-ransomware-strategy\/10615\/\" target=\"_blank\" rel=\"noopener\">fidye yaz\u0131l\u0131mlar\u0131na kar\u015f\u0131 bir strateji<\/a> ve \u00f6nlemler geli\u015ftirmeniz de ak\u0131lc\u0131 olur.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial-leadgen\">\n","protected":false},"excerpt":{"rendered":"<p>Andariel grubu bir\u00e7ok k\u00f6t\u00fc ama\u00e7l\u0131 ara\u00e7la \u015firketlere sald\u0131r\u0131yor.<\/p>\n","protected":false},"author":2581,"featured_media":10924,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[591,1763,1454,2362],"class_list":{"0":"post-10923","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-fidye-yazilimi","10":"tag-fidye-yazilimlari","11":"tag-lazarus","12":"tag-para-sizdirma"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/andariel-dtrack-maui\/10923\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/andariel-dtrack-maui\/24444\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/andariel-dtrack-maui\/19910\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/andariel-dtrack-maui\/26881\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/andariel-dtrack-maui\/24788\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/andariel-dtrack-maui\/25184\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/andariel-dtrack-maui\/27501\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/andariel-dtrack-maui\/27158\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/andariel-dtrack-maui\/33817\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/andariel-dtrack-maui\/45130\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/andariel-dtrack-maui\/19280\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/andariel-dtrack-maui\/19867\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/andariel-dtrack-maui\/29139\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/andariel-dtrack-maui\/25332\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/andariel-dtrack-maui\/30847\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/andariel-dtrack-maui\/30556\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/fidye-yazilimlari\/","name":"fidye yaz\u0131l\u0131mlar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10923"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10923\/revisions"}],"predecessor-version":[{"id":10925,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10923\/revisions\/10925"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10924"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}