Turla, devam etmekte olan en sofistike siber casusluk kampanyalar\u0131n\u0131n ba\u015f\u0131nda geliyor. Epic zararl\u0131 yaz\u0131l\u0131m\u0131, Turla’n\u0131n vir\u00fcs bula\u015ft\u0131rmadaki ilk a\u015famas\u0131.<\/p>\n
Ku\u015fkulanmayan bir kullan\u0131c\u0131, g\u00fcvenlik a\u00e7\u0131klar\u0131 bulunan bir sistemde zararl\u0131 kod i\u00e7eren bir PDF dosyas\u0131n\u0131 a\u00e7t\u0131\u011f\u0131nda makine otomatik olarak vir\u00fcs kap\u0131yor ve sald\u0131rgan\u0131n hedef sistem \u00fczerinde an\u0131nda ve tam kontrol sa\u011flamas\u0131na olanak tan\u0131yor.<\/p>\n
Snake veya Uroburos olarak da bilinen Turla, devam etmekte olan en sofistike siber casusluk kampanyalar\u0131ndan biri. Yap\u0131lan en son Kaspersky Lab ara\u015ft\u0131rmas\u0131nda Epic’in Turla vir\u00fcs bula\u015ft\u0131rma mekanizmas\u0131n\u0131n ilk a\u015famas\u0131 oldu\u011fu g\u00f6r\u00fcl\u00fcyor. .<\/p>\n
En az\u0131ndan 2012 y\u0131l\u0131ndan beri kullan\u0131lmakta olan “Epic” projesinin en y\u00fcksek hacimli etkinli\u011fe Ocak-\u015eubat 2014’te ula\u015ft\u0131\u011f\u0131 g\u00f6zlemlenmi\u015f. 5 A\u011fustos 2014 tarihinde, yani \u00e7ok k\u0131sa s\u00fcre \u00f6nce Kaspersky Lab, kullan\u0131c\u0131lar\u0131ndan birine bu sald\u0131r\u0131n\u0131n ger\u00e7ekle\u015ftirildi\u011fini tespit etti.<\/p>\n
“Epic” zararl\u0131 yaz\u0131l\u0131m\u0131n\u0131n kurbanlar\u0131 \u015fu kategorilere ayr\u0131l\u0131r: resmi kurumlar (\u0130\u00e7i\u015fleri Bakanl\u0131\u011f\u0131, Ticaret Bakanl\u0131\u011f\u0131, D\u0131\u015fi\u015fleri Bakanl\u0131\u011f\u0131, istihbarat te\u015fkilatlar\u0131), el\u00e7ilikler, ordu, ara\u015ft\u0131rma ve e\u011fitim kurumlar\u0131 ve ila\u00e7 \u015firketleri. Kurbanlar\u0131n \u00e7o\u011fu Orta Do\u011fu ve Avrupa’dan olmakla birlikte ara\u015ft\u0131rmac\u0131lar, ABD dahil farkl\u0131 b\u00f6lgelerde de vir\u00fcse rastland\u0131\u011f\u0131n\u0131 a\u00e7\u0131kl\u0131yor. Kaspersky Lab uzmanlar\u0131, Fransa’n\u0131n ba\u015f\u0131n\u0131 \u00e7ekti\u011fi toplamda 45’ten fazla \u00fclkede y\u00fczlerce kurban IP’nin etkilendi\u011fini g\u00f6zlemlemi\u015ftir.<\/p>\n
Kaspersky Lab’\u0131n ara\u015ft\u0131rmac\u0131lar\u0131 Epic Turla’n\u0131n kurbanlar\u0131na vir\u00fcs bula\u015ft\u0131rmak i\u00e7in s\u0131f\u0131r g\u00fcnl\u00fck a\u00e7\u0131klardan yararlanan yaz\u0131l\u0131mlar, sosyal m\u00fchendislik ve sulama kanal\u0131 tekniklerinden (kurbanlar\u0131n ilgilendi\u011fi konular\u0131 i\u00e7eren, sald\u0131rganlar taraf\u0131ndan ele ge\u00e7irilmi\u015f ve zararl\u0131 kodlar yaymak \u00fczere yerle\u015ftirilmi\u015f web siteleri) faydaland\u0131\u011f\u0131n\u0131 ke\u015ffetti. \u00d6rne\u011fin Kaspersky Lab, toplamda 100 adetten fazla yerle\u015ftirilmi\u015f web sitesi (sulama kanal\u0131) g\u00f6zlemlemi\u015f. Web sitesi se\u00e7imi sald\u0131rganlar\u0131n \u00f6zel ilgi alanlar\u0131n\u0131 yans\u0131t\u0131yor. \u00d6rne\u011fin vir\u00fcs ta\u015f\u0131yan \u0130spanyolca web sitelerinin \u00e7o\u011fu yerel resmi kurumlara ait.<\/p>\n
Ku\u015fkulanmayan bir kullan\u0131c\u0131, g\u00fcvenlik a\u00e7\u0131klar\u0131 bulunan bir sistemde zararl\u0131 kod i\u00e7eren bir PDF dosyas\u0131n\u0131 a\u00e7t\u0131\u011f\u0131nda makine otomatik olarak vir\u00fcs kap\u0131yor ve sald\u0131rgan\u0131n hedef sistem \u00fczerinde an\u0131nda ve tam kontrol sa\u011flamas\u0131na olanak tan\u0131yor.<\/p>\n
Kullan\u0131c\u0131 vir\u00fcs kapt\u0131ktan sonra Epic arka kap\u0131s\u0131 derhal komut ve kontrol (C&C) sunucusuna ba\u011flanarak kurban\u0131n sistem bilgilerinin bulundu\u011fu bir paket g\u00f6nderiyor. Sistem ele ge\u00e7irildi\u011finde sald\u0131rganlar, kurbandan bilgilerinin bir \u00f6zetini al\u0131r ve buna dayanarak bir dizi y\u00fcr\u00fctme komutu i\u00e7eren \u00f6nceden yap\u0131land\u0131r\u0131lm\u0131\u015f yama dosyalar\u0131 yolluyor. Buna ek olarak sald\u0131rganlar, \u00f6zel bir tu\u015f kaydedici ara\u00e7, bir RAR ar\u015fivcisi ve Microsoft DNS sorgu arac\u0131 gibi standart ara\u00e7lar i\u00e7eren \u00f6zel yanal hareket ara\u00e7lar\u0131 y\u00fckl\u00fcyor.<\/p>\n
Turla’n\u0131n ilk a\u015famas\u0131. Analiz s\u0131ras\u0131nda Kaspersky Lab ara\u015ft\u0131rmac\u0131lar\u0131 sald\u0131rganlar\u0131n, baz\u0131 antivir\u00fcs \u00fcr\u00fcnlerince “Cobra\/Carbon sistemi” ve ayr\u0131ca “Pfinet” olarak da adland\u0131r\u0131lan daha sofistike arka kap\u0131lar yerle\u015ftirmek i\u00e7in Epic zararl\u0131 yaz\u0131l\u0131m\u0131ndan faydaland\u0131klar\u0131n\u0131 g\u00f6zlemlemi\u015ft. Bir s\u00fcre sonra sald\u0131rganlar daha ileriye gitmi\u015f ve “Carbon” yap\u0131land\u0131rmas\u0131n\u0131 farkl\u0131 bir komut-kontrol sunucular\u0131 seti ile g\u00fcncellemek i\u00e7in Epic eklentisini kullanm\u0131\u015f.<\/p>\n
Kaspersky Lab Global Ara\u015ft\u0131rma ve Analiz Ekibi Ba\u015fkan\u0131 Costin Raiu \u015fu yorumlarda bulunuyor: “”Carbon sistemi zararl\u0131 yaz\u0131l\u0131m\u0131n\u0131n yap\u0131land\u0131rma g\u00fcncellemeleri \u00e7ok ilgin\u00e7. \u00c7\u00fcnk\u00fc bu, Turla’n\u0131n bir di\u011fer projesidir. Bu, Epic Turla ile ba\u015flayan \u00e7ok a\u015famal\u0131 bir vir\u00fcs ile u\u011fra\u015ft\u0131\u011f\u0131m\u0131z anlam\u0131na gelir. Epic Turla bir tutunma noktas\u0131 elde etmek ve kurban\u0131n profilini do\u011frulamak i\u00e7in kullan\u0131l\u0131yor. E\u011fer kurban ilgin\u00e7 biriyse, tam Turla Carbon sistemine y\u00fckseltiliyor.”<\/p>\n
Turla’n\u0131n arkas\u0131ndaki sald\u0131rganlar\u0131n anadillerinin \u0130ngilizce olmad\u0131\u011f\u0131 a\u00e7\u0131k. Sald\u0131rganlar\u0131n uyruklar\u0131na ili\u015fkin baz\u0131 ipu\u00e7lar\u0131 veren belirtiler bulunmakta. \u00d6rne\u011fin arka kap\u0131lar\u0131n baz\u0131lar\u0131 Rus\u00e7a kullan\u0131lan bir sistemde derlenmi\u015f. Buna ek olarak Epic arka kap\u0131lar\u0131ndan birinin dahili ad\u0131 olan “Zagruzchik.dll”, Rus\u00e7a’da “bootloader” veya “y\u00fckleme program\u0131” anlam\u0131na geliyor. Son olarak Epic ana kontrol panelinde kod sayfas\u0131, Kiril alfabesi i\u00e7in kullan\u0131lan 1251 olarak ayarlanm\u0131\u015f.<\/p>\n
“Epic Turla” operasyonu hakk\u0131nda daha fazla bilgi edinmek i\u00e7in Securelist.com adresindeki blog iletilerini okuyun.<\/p>\n","protected":false},"excerpt":{"rendered":"
Turla, devam etmekte olan en sofistike siber casusluk kampanyalar\u0131n\u0131n ba\u015f\u0131nda geliyor. Epic zararl\u0131 yaz\u0131l\u0131m\u0131, Turla’n\u0131n vir\u00fcs bula\u015ft\u0131rmadaki ilk a\u015famas\u0131. Ku\u015fkulanmayan bir kullan\u0131c\u0131, g\u00fcvenlik a\u00e7\u0131klar\u0131 bulunan bir sistemde zararl\u0131 kod i\u00e7eren<\/p>\n","protected":false},"author":350,"featured_media":1322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287,1351],"tags":[620,618,621,619],"class_list":{"0":"post-1321","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-epic","10":"tag-hedefli-saldirilar","11":"tag-snake","12":"tag-turla"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/kaspersky-lab-turla-siber-casusluk-kampanyasinin-sirlarini-aciga-cikardi\/1321\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/epic\/","name":"epic"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/350"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=1321"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1321\/revisions"}],"predecessor-version":[{"id":7295,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/1321\/revisions\/7295"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/1322"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=1321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=1321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=1321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}