{"id":11542,"date":"2023-07-12T15:05:03","date_gmt":"2023-07-12T12:05:03","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=11542"},"modified":"2023-07-12T15:05:03","modified_gmt":"2023-07-12T12:05:03","slug":"doublefinger-crypto-stealer-2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/doublefinger-crypto-stealer-2\/11542\/","title":{"rendered":"\u00c7ifte tehlike: kripto h\u0131rs\u0131z\u0131 DoubleFinger"},"content":{"rendered":"

Kripto para birimleri, s\u0131radan Bitcoin madencilik doland\u0131r\u0131c\u0131l\u0131klar\u0131ndan<\/a> y\u00fcz milyonlarca dolarl\u0131k \u015fa\u015f\u0131las\u0131 kripto para soygunlar\u0131na<\/a> kadar her t\u00fcrden su\u00e7 planlar\u0131n\u0131n sald\u0131r\u0131lar\u0131 alt\u0131nda.<\/p>\n

\u00a0<\/p>\n

Kripto para birimi sahipleri i\u00e7in neredeyse her k\u00f6\u015fe ba\u015f\u0131nda tehlikeler var. Yak\u0131n zamanda, ger\u00e7ek kripto c\u00fczdanlar\u0131 gibi g\u00f6r\u00fcn\u00fcp \u00e7al\u0131\u015ft\u0131\u011f\u0131 halde nihayetinde t\u00fcm paran\u0131z\u0131 \u00e7alan sahte kripto c\u00fczdanlar\u0131ndan<\/a> s\u00f6z etmi\u015ftik. \u015eimdi uzmanlar\u0131m\u0131z ke\u015ffetti<\/a> kar\u015f\u0131m\u0131zda tamamen yeni bir tehdit var: kripto h\u0131rs\u0131z\u0131 GreetingGhoul ve uzaktan eri\u015fim Truva At\u0131 Remcos adl\u0131 arkada\u015flar\u0131n\u0131 da yan\u0131nda getiren DoubleFinger adl\u0131 y\u00fckleyiciyi kullanan geli\u015fmi\u015f bir sald\u0131r\u0131. Ama \u00f6nce s\u0131rayla gidelim.<\/p>\n

\u00a0<\/p>\n

DoubleFinger nas\u0131l GreetingGhoul adl\u0131 h\u0131rs\u0131z\u0131 y\u00fckl\u00fcyor<\/h2>\n

Uzmanlar\u0131m\u0131z, sald\u0131r\u0131n\u0131n y\u00fcksek teknik seviyesine ve geli\u015fmi\u015f bir kal\u0131c\u0131 tehdit (APT)<\/a> sald\u0131r\u0131s\u0131n\u0131 and\u0131ran \u00e7ok a\u015famal\u0131 yap\u0131s\u0131na dikkat \u00e7ekti. Bir DoubleFinger vir\u00fcs\u00fc k\u00f6t\u00fc ama\u00e7l\u0131 bir PIF dosyas\u0131 i\u00e7eren bir e-posta ile geliyor. Al\u0131c\u0131 eki a\u00e7\u0131nca olaylar \u015fu \u015fekilde geli\u015fiyor:<\/p>\n

\u00a0<\/p>\n

    \n
  1. A\u015fama<\/strong>. DoubleFinger, resim payla\u015f\u0131m platformu Imgur.com \u00fczerinden PNG bi\u00e7iminde bir dosya indiren bir shellcode<\/a> y\u00fcr\u00fct\u00fcyor. Ama bu asl\u0131nda bir resim de\u011fil: Dosyada sald\u0131r\u0131n\u0131n sonraki a\u015famalar\u0131nda kullan\u0131lacak olan DoubleFinger bile\u015fenleri \u015fifreli bir \u015fekilde bulunuyor. Bunlar aras\u0131nda sald\u0131r\u0131n\u0131n ikinci a\u015famas\u0131nda kullan\u0131lan bir y\u00fcklenici, me\u015fru bir java.exe dosyas\u0131 ve d\u00f6rd\u00fcnc\u00fc a\u015fama i\u00e7in kullan\u0131lacak bir di\u011fer PNG dosyas\u0131 mevcut.<\/li>\n<\/ol>\n

    \u00a0<\/p>\n

      \n
    1. A\u015fama<\/strong>. DoubleFinger ikinci a\u015fama y\u00fckleyicisi yukar\u0131da bahsedilen me\u015fru java.exe dosyas\u0131 kullan\u0131larak \u00e7al\u0131\u015ft\u0131r\u0131l\u0131yor, ard\u0131ndan bu y\u00fckleyici DoubleFinger\u2019\u0131n \u00fc\u00e7\u00fcnc\u00fc a\u015famas\u0131n\u0131 indiren, \u015fifresini \u00e7\u00f6zen ve ba\u015flatan ba\u015fka bir shellcode y\u00fcr\u00fct\u00fcyor.<\/li>\n<\/ol>\n

      \u00a0<\/p>\n

        \n
      1. A\u015fama<\/strong>. Bu a\u015famada, DoubleFinger bilgisayar\u0131n\u0131zda y\u00fckl\u00fc g\u00fcvenlik yaz\u0131l\u0131mlar\u0131n\u0131 a\u015fmak i\u00e7in bir dizi eylem sergiliyor. Daha sonra, y\u00fckleyici a\u00e7\u0131l\u0131yor ve ilk a\u015famada s\u00f6z\u00fc edilen PNG dosyas\u0131nda bulunan d\u00f6rd\u00fcnc\u00fc a\u015famay\u0131 ba\u015flat\u0131yor. Bu arada, bu PNG dosyas\u0131nda sadece k\u00f6t\u00fc ama\u00e7l\u0131 kod de\u011fil, ayn\u0131 zamanda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131ma ad\u0131n\u0131 veren resim de bulunuyor:<\/li>\n<\/ol>\n
        \"DoubleFinger

        DoubleFinger\u2019\u0131n ad\u0131n\u0131 ald\u0131\u011f\u0131 iki parmak<\/p>\n

        <\/p><\/div>\n

          \n
        1. A\u015fama<\/strong>. Bu ad\u0131mda DoubleFinger, Process Doppelg\u00e4nging<\/a> ad\u0131 verilen bir teknik kullanarak be\u015finci a\u015famay\u0131 ba\u015flat\u0131yor, b\u00f6ylece me\u015fru s\u00fcreci be\u015finci a\u015fama g\u00f6rev y\u00fck\u00fcn\u00fc i\u00e7eren de\u011fi\u015ftirilmi\u015f bir s\u00fcre\u00e7le de\u011fi\u015ftiriyor.<\/li>\n<\/ol>\n

          \u00a0<\/p>\n

            \n
          1. A\u015fama<\/strong>. Yukar\u0131daki t\u00fcm manip\u00fclasyonlar\u0131n ard\u0131ndan DoubleFinger as\u0131l tasar\u0131m amac\u0131n\u0131 yerine getirmeye ba\u015fl\u0131yor: ba\u015fka bir PNG dosyas\u0131 y\u00fckleyip a\u00e7\u0131yor. Bu dosyada nihai g\u00f6rev y\u00fck\u00fc bulunuyor. Bu, kendisini sisteme y\u00fckleyen ve G\u00f6rev Planlay\u0131c\u0131da her g\u00fcn belli bir saatte \u00e7al\u0131\u015fmak \u00fczere i\u015faretlenen GreetingGhoul adl\u0131 kripto h\u0131rs\u0131z\u0131.<\/li>\n<\/ol>\n

            \u00a0<\/p>\n

            GreetingGhoul kripto c\u00fczdanlar\u0131 nas\u0131l \u00e7al\u0131yor<\/h2>\n

            DoubleFinger adl\u0131 y\u00fckleyici i\u015fini bitirdikten sonra GreetingGhoul oyuna giriyor. Bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n iki tamamlay\u0131c\u0131 bile\u015feni var:<\/p>\n

              \n
            1. sistemdeki kripto c\u00fczdan uygulamalar\u0131n\u0131 alg\u0131layan ve ki\u015fisel verileri (\u00f6zel anahtarlar ve kurtarma terimleri) sald\u0131rganlara aktara bir bile\u015fen;<\/li>\n
            2. kripto para birimi uygulamalar\u0131n\u0131n aray\u00fcz\u00fcn\u00fcn \u00fczerine binip kullan\u0131c\u0131 girdilerinin \u00f6n\u00fcn\u00fc kesen bir bile\u015fen.<\/li>\n<\/ol>\n
              \"GreetingGhoul

              GreetingGhoul\u2019un kripto c\u00fczdan uygulamalar\u0131n\u0131n aray\u00fcz\u00fc \u00fczerine binmesinin bir \u00f6rne\u011fi<\/p><\/div>\n

              \u00a0<\/p>\n

              Sonu\u00e7 olarak, DoubleFinger\u2019\u0131n ard\u0131ndaki siber su\u00e7lular kurban\u0131n kripto c\u00fczdanlar\u0131n\u0131n kontrol\u00fcn ele al\u0131p paralar\u0131n\u0131 \u00e7ekebiliyorlar.<\/p>\n

              Uzmanlar\u0131m\u0131z DoubleFinger\u2019\u0131n yapt\u0131\u011f\u0131 baz\u0131 de\u011fi\u015fiklikleri ke\u015ffettiler. Bunlardan baz\u0131lar\u0131, ek bir y\u00f6ntem olarak, (siber su\u00e7lu \u00e7evrelerinde) olduk\u00e7a yayg\u0131n olan uzaktan eri\u015fim Truva At\u0131<\/a> Remcos\u2019u vir\u00fcs bula\u015fan sisteme y\u00fckl\u00fcyor. Bunun amac\u0131 do\u011frudan ad\u0131nda gizli: REM<\/strong>ote (Uzaktan) CO<\/strong>ntrol (Kontrol) ve S<\/strong>urveillance (G\u00f6zetim). Di\u011fer bir deyi\u015fle, Remcos siber su\u00e7lular\u0131n t\u00fcm kullan\u0131c\u0131 hareketlerini g\u00f6zlemesini ve vir\u00fcsl\u00fc sistemin tam kontrol\u00fcn\u00fc ele ge\u00e7irmesini sa\u011fl\u0131yor.<\/p>\n

              \u00a0<\/p>\n

              Kripto c\u00fczdanlar\u0131n\u0131z nas\u0131l korunur<\/h2>\n

              Kripto para birimleri siber su\u00e7lular\u0131n ilgisini \u00e7ekmeye devam ediyor, bu nedenle t\u00fcm kripto yat\u0131r\u0131mc\u0131lar\u0131n\u0131n g\u00fcvenlik konusunda s\u0131k\u0131 d\u00fc\u015f\u00fcnmesi gerekiyor. Bunu demi\u015fken, Kripto yat\u0131r\u0131mlar\u0131n\u0131 korumak: G\u00fcvenli\u011fe giden 4 \u00f6nemli ad\u0131m<\/a> ba\u015fl\u0131kl\u0131 son yaz\u0131m\u0131z\u0131 okuman\u0131z\u0131 \u00f6neririz. Konunun d\u00f6rt temel noktas\u0131 \u015furada:<\/p>\n