{"id":13948,"date":"2025-11-06T20:34:53","date_gmt":"2025-11-06T17:34:53","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13948"},"modified":"2025-11-06T20:34:53","modified_gmt":"2025-11-06T17:34:53","slug":"forumtroll-dante-leetagent","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/forumtroll-dante-leetagent\/13948\/","title":{"rendered":"ForumTroll ve \u0130talyan meslekta\u015flar\u0131"},"content":{"rendered":"

Kaspersky Global Ara\u015ft\u0131rma ve Analiz Ekibi (GReAT) uzmanlar\u0131m\u0131z, ForumTroll APT grubu taraf\u0131ndan sald\u0131r\u0131larda kullan\u0131lan enfeksiyon zincirini yeniden olu\u015fturdu. Soru\u015fturma s\u0131ras\u0131nda, ForumTroll taraf\u0131ndan kullan\u0131lan ara\u00e7lar\u0131n ticari k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m Dante\u2019yi da\u011f\u0131tmak i\u00e7in de kullan\u0131ld\u0131\u011f\u0131n\u0131 ke\u015ffettiler. Boris Larin, Tayland\u2019da d\u00fczenlenen Security Analyst Summit 2025 konferans\u0131nda bu ara\u015ft\u0131rma<\/a> hakk\u0131nda ayr\u0131nt\u0131l\u0131 sunum yapt\u0131.<\/p>\n

ForumTroll APT nedir ve nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/h2>\n

Mart ay\u0131nda teknolojilerimiz, daha \u00f6nce bilinmeyen sofistike k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n Rus \u015firketlerinde dikkate de\u011fer \u015fekilde yay\u0131ld\u0131\u011f\u0131n\u0131<\/a> tespit etti. Google Chrome\u2019daki CVE-2025-2783<\/a> s\u0131f\u0131r g\u00fcn g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan faydalanan k\u0131sa \u00f6m\u00fcrl\u00fc web sayfalar\u0131n\u0131 kullanan sald\u0131rganlar, Rusya\u2019daki medya, h\u00fck\u00fcmet, e\u011fitim ve finans kurumlar\u0131n\u0131n \u00e7al\u0131\u015fanlar\u0131na e-posta g\u00f6ndererek onlar\u0131 Primakov Readings bilimsel ve uzman forumuna kat\u0131lmaya davet ettiler. Bu nedenle sald\u0131r\u0131 kampanyas\u0131na \u201cForum Troll\u201d dediler ve bunun arkas\u0131ndaki gruba ForumTroll ad\u0131n\u0131 verdiler. E-postadaki ba\u011flant\u0131ya t\u0131kland\u0131\u011f\u0131nda, cihaza k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bula\u015ft\u0131. Sald\u0131rganlar taraf\u0131ndan kullan\u0131lan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, LeetAgent olarak adland\u0131r\u0131ld\u0131 \u00e7\u00fcnk\u00fc kontrol sunucusundan Leet<\/a>\u2018in de\u011fi\u015ftirilmi\u015f yaz\u0131m bi\u00e7imleriyle komutlar al\u0131yordu.<\/p>\n

\u0130lk yay\u0131nlamadan sonra, GReAT uzmanlar\u0131 ForumTroll\u2019\u00fcn faaliyetlerini ara\u015ft\u0131rmaya devam etti. \u00d6zellikle, ayn\u0131 grubun Rusya ve Beyaz Rusya\u2019daki kurulu\u015flara ve ki\u015filere y\u00f6nelik birka\u00e7 sald\u0131r\u0131s\u0131n\u0131 daha tespit eden uzmanlar LeetAgent kullan\u0131lan sald\u0131r\u0131lar\u0131 ara\u015ft\u0131r\u0131rken, \u00e7ok daha geli\u015fmi\u015f ba\u015fka k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n kullan\u0131ld\u0131\u011f\u0131 vakalar da ke\u015ffettiler.<\/p>\n

Dante nedir ve HackingTeam\u2019in bununla ne ilgisi var?<\/h2>\n

Bulunan k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m mod\u00fcler bir yap\u0131ya sahipti, her kurban i\u00e7in benzersiz anahtarlar kullanarak mod\u00fcl \u015fifreleme uyguluyordu ve kontrol sunucusundan herhangi bir komut almad\u0131\u011f\u0131nda belirli bir s\u00fcre sonra kendini imha ediyordu. Ancak en ilgin\u00e7 olan\u0131, ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n bunu \u0130talyan \u015firketi Memento Labs (eski ad\u0131yla Hacking Team) taraf\u0131ndan geli\u015ftirilen Dante adl\u0131 ticari casus yaz\u0131l\u0131m olarak tan\u0131mlamay\u0131 ba\u015farm\u0131\u015f olmalar\u0131d\u0131r.<\/p>\n

HackingTeam, ticari casus yaz\u0131l\u0131mlar\u0131n \u00f6nc\u00fclerinden biriydi. Ancak 2015 y\u0131l\u0131nda, \u015firketin kendi altyap\u0131s\u0131 hacklendi ve ticari casus yaz\u0131l\u0131m\u0131n\u0131n kaynak kodu da dahil olmak \u00fczere i\u00e7 belgelerinin \u00f6nemli bir k\u0131sm\u0131 \u00e7evrimi\u00e7i olarak yay\u0131nland\u0131. Bundan sonra \u015firket sat\u0131ld\u0131 ve ad\u0131 Memento Labs olarak de\u011fi\u015ftirildi.<\/p>\n

Dante k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n neler yapabilece\u011fi ve uzmanlar\u0131m\u0131z\u0131n bunun Dante oldu\u011funu nas\u0131l anlad\u0131klar\u0131 hakk\u0131nda daha fazla bilgiyi, ilgili ihlal g\u00f6stergeleri ile birlikte, Securelist blog<\/a> yaz\u0131s\u0131nda bulabilirsiniz.<\/p>\n

Nas\u0131l g\u00fcvende kalabilirsiniz?<\/h2>\n

Ba\u015flang\u0131\u00e7ta, LeetAgent kullan\u0131larak yap\u0131lan sald\u0131r\u0131lar XDR \u00e7\u00f6z\u00fcm\u00fcm\u00fcz<\/a> taraf\u0131ndan tespit edildi. Ayr\u0131ca, bu ara\u015ft\u0131rman\u0131n ayr\u0131nt\u0131lar\u0131 ile ForumTroll grubu ve Dante casus yaz\u0131l\u0131m\u0131 hakk\u0131nda gelecekte elde edece\u011fimiz bilgiler, Tehdit \u0130stihbarat Portal\u0131ndaki<\/a> APT tehdit verileri hizmetimizin abonelerine sunulacakt\u0131r.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Uzmanlar\u0131m\u0131z, hem ForumTroll APT grubunun hem de Memento Labs’in Dante k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131ndan faydalanan sald\u0131rganlar\u0131n ortak olarak kulland\u0131klar\u0131 ara\u00e7lar\u0131 tespit etti.<\/p>\n","protected":false},"author":2706,"featured_media":13950,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[493,627,2819],"class_list":{"0":"post-13948","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-apt","10":"tag-great","11":"tag-thesas2025"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/forumtroll-dante-leetagent\/13948\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/forumtroll-dante-leetagent\/12959\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/forumtroll-dante-leetagent\/28696\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/forumtroll-dante-leetagent\/31586\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/forumtroll-dante-leetagent\/30240\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/forumtroll-dante-leetagent\/40800\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/forumtroll-dante-leetagent\/54670\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/forumtroll-dante-leetagent\/23337\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/forumtroll-dante-leetagent\/29892\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13948"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13948\/revisions"}],"predecessor-version":[{"id":13952,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13948\/revisions\/13952"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13950"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}