{"id":8655,"date":"2020-08-05T16:45:32","date_gmt":"2020-08-05T13:45:32","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8655"},"modified":"2020-08-05T16:45:32","modified_gmt":"2020-08-05T13:45:32","slug":"mata-framework","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/mata-framework\/8655\/","title":{"rendered":"MATA: \u00c7ok platformlu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m sistemi"},"content":{"rendered":"<p>Siber su\u00e7lular\u0131n kulland\u0131klar\u0131 ara\u00e7lar s\u00fcrekli olarak geli\u015fmeye devam ediyor. En son \u00f6rnek, uzmanlar\u0131m\u0131z\u0131n k\u0131sa bir s\u00fcre \u00f6nce ortaya \u00e7\u0131kard\u0131\u011f\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 MATA sistemi. Siber su\u00e7lular bu sistemi d\u00fcnyan\u0131n d\u00f6rt bir yan\u0131ndaki kurumsal altyap\u0131lara sald\u0131rmak i\u00e7in kullan\u0131yor. MATA, \u00e7e\u015fitli i\u015fletim sistemleri alt\u0131nda \u00e7al\u0131\u015fabiliyor ve \u00e7ok geni\u015f bir k\u00f6t\u00fc ama\u00e7l\u0131 ara\u00e7 yelpazesine sahip.<\/p>\n<p>K\u00f6t\u00fc ama\u00e7l\u0131 ki\u015filer MATA\u2019y\u0131 potansiyel olarak \u00e7ok \u00e7e\u015fitli su\u00e7lar i\u00e7in kullanabilirler. Ancak bizim analiz etti\u011fimiz vakalarda siber su\u00e7lular, kurban\u0131n altyap\u0131s\u0131ndaki m\u00fc\u015fteri veri tabanlar\u0131n\u0131 bulup buradan veri \u00e7almaya \u00e7al\u0131\u015f\u0131yordu. En az bir vakada MATA\u2019y\u0131 fidye yaz\u0131l\u0131m\u0131 yaymak i\u00e7in de kullanm\u0131\u015flar. Uzmanlar\u0131m\u0131z bu vakay\u0131 ayr\u0131ca inceleyecekler.<\/p>\n<p>Sald\u0131rganlar\u0131n ilgi alan\u0131 olduk\u00e7a geni\u015f. MATA\u2019n\u0131n bilinen kurbanlar\u0131 aras\u0131nda yaz\u0131l\u0131m geli\u015ftiriciler, internet sa\u011flay\u0131c\u0131lar, e-ticaret siteleri ve daha fazlas\u0131 yer al\u0131yor. Sald\u0131r\u0131 co\u011frafyas\u0131 da olduk\u00e7a geni\u015f: Grubun Polonya, Almanya, T\u00fcrkiye, Kore, Japonya ve Hindistan\u2019daki etkinliklerine dair izler bulduk.<\/p>\n<h2>Neden MATA\u2019ya bir sistem diyoruz?<\/h2>\n<p>MATA yaln\u0131zca \u00f6zellikler a\u00e7\u0131s\u0131ndan zengin bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m de\u011fil. Gereken ara\u00e7lar\u0131 gerekti\u011fi zaman y\u00fckleyen bir t\u00fcr olu\u015fturucu. MATA\u2019n\u0131n en pop\u00fcler \u00fc\u00e7 i\u015fletim sistemi olan Windows, Linux ve macOS \u00e7al\u0131\u015ft\u0131ran bilgisayarlara sald\u0131rabilmesi ile ba\u015flayal\u0131m.<\/p>\n<h3>Windows<\/h3>\n<p>Uzmanlar\u0131m\u0131z ilk olarak Windows cihazlar\u0131 hedef alan MATA sald\u0131r\u0131lar\u0131n\u0131 tespit etti. Sald\u0131r\u0131lar birka\u00e7 a\u015famada ger\u00e7ekle\u015fiyordu. MATA operat\u00f6rleri ba\u015flang\u0131\u00e7ta kurban\u0131n bilgisayar\u0131nda d\u00fczenleyici mod\u00fcl denen bir y\u00fckleyici \u00e7al\u0131\u015ft\u0131r\u0131yor. Bu mod\u00fcl, \u00e7ok \u00e7e\u015fitli k\u00f6t\u00fc ama\u00e7l\u0131 i\u015flevlere sahip ba\u015fka mod\u00fcller indirebiliyor.<\/p>\n<p>Belirli sald\u0131r\u0131 senaryolar\u0131n\u0131n karakteristik \u00f6zelliklerine ba\u011fl\u0131 olarak mod\u00fcller, uzak bir HTTP veya HTTPS sunucusundan veya sabit diskteki \u015fifreli bir dosyadan y\u00fcklenebiliyor ya da TLS 1.2 ba\u011flant\u0131s\u0131 \u00fczerinden MataNet altyap\u0131s\u0131ndan aktar\u0131labiliyor. \u00c7e\u015fitli MATA eklentileri:<\/p>\n<ul>\n<li>\u0130lave parametrelerle cmd.exe \/c veya powershell.exe \u00e7al\u0131\u015ft\u0131rabiliyor ve bu komutlara verilen yan\u0131tlar\u0131 toplayabiliyor;<\/li>\n<li>(Kald\u0131r, olu\u015ftur, vb. gibi) i\u015flemleri manip\u00fcle edebiliyor;<\/li>\n<li>Belirli bir adresle (ya da bir dizi adresle) TCP ba\u011flant\u0131s\u0131 arayabiliyor;<\/li>\n<li>Gelen TCP ba\u011flant\u0131lar\u0131 i\u00e7in haz\u0131r olan bir HTTP ara sunucusu olu\u015fturabiliyor;<\/li>\n<li>Dosyalar\u0131 manip\u00fcle edebiliyor (veri yazabiliyor, g\u00f6nderebiliyor, i\u00e7erik silebiliyor, vb.);<\/li>\n<li>Y\u00fcr\u00fct\u00fclen i\u015flemlere DLL dosyalar\u0131 enjekte edebiliyor;<\/li>\n<li>Uzak sunuculara ba\u011flanabiliyor.<\/li>\n<\/ul>\n<h3>Linux ve macOS<\/h3>\n<p>Uzmanlar\u0131m\u0131z ara\u015ft\u0131rmalar\u0131n\u0131 ilerlettiklerinde Linux\u2019e y\u00f6nelik de benzer bir ara\u00e7 seti buldu. D\u00fczenleyicinin ve eklentilerin Linux s\u00fcr\u00fcmlerinin yan\u0131 s\u0131ra, yasal bir uygulama olan <a href=\"https:\/\/threatpost.com\/socat-warns-weak-prime-number-could-mean-its-backdoored\/116104\/\" target=\"_blank\" rel=\"noopener nofollow\">komut sat\u0131r\u0131 yard\u0131mc\u0131 program\u0131 Socat<\/a>\u2018i ve Atlassian Confluence Sunucusu\u2019ndaki CVE-2019-3396 g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 k\u00f6t\u00fcye kullanan komut dizinleri i\u00e7eriyordu.<\/p>\n<p>Eklenti seti, Windows\u2019ta g\u00f6r\u00fclenden biraz farkl\u0131. Eklentiler aras\u0131nda, MATA\u2019n\u0131n (RouterOS \u00e7al\u0131\u015ft\u0131ran cihazlar\u0131 y\u00f6netmek i\u00e7in kullan\u0131lan) <a href=\"https:\/\/www.adminsub.net\/tcp-udp-port-finder\/8292\" target=\"_blank\" rel=\"noopener nofollow\">8291<\/a> ba\u011flant\u0131 noktas\u0131n\u0131 ve (Bloomberg Professional yaz\u0131l\u0131m\u0131nda kullan\u0131lan) 8292 ba\u011flant\u0131 noktas\u0131n\u0131 kullanarak bir TCP ba\u011flant\u0131s\u0131 kurmaya \u00e7al\u0131\u015ft\u0131\u011f\u0131 ekstra bir eklenti daha yer al\u0131yordu. Ba\u011flant\u0131 kurma giri\u015fimi ba\u015far\u0131l\u0131 olursa eklenti, sistem g\u00fcnl\u00fc\u011f\u00fcn\u00fc C&amp;C (komut ve kontrol) sunucusuna aktar\u0131yordu. Bunun yeni hedefler belirlemeye yarad\u0131\u011f\u0131n\u0131 varsay\u0131yoruz.<\/p>\n<p>MacOS ara\u00e7lar\u0131na gelirsek, a\u00e7\u0131k kaynakl\u0131 bir yaz\u0131l\u0131m\u0131 temel alan Truva At\u0131 haline getirilmi\u015f bir uygulamada bulundular. MacOS s\u00fcr\u00fcm\u00fc, i\u015flevsellik a\u00e7\u0131s\u0131ndan Linux i\u015fletim sisteminin neredeyse ayn\u0131s\u0131yd\u0131.<\/p>\n<p><a href=\"https:\/\/securelist.com\/mata-multi-platform-targeted-malware-framework\/97746\/\" target=\"_blank\" rel=\"noopener\">Securelist\u2019deki ilgili g\u00f6nderide<\/a> sistemin ayr\u0131nt\u0131l\u0131 teknik a\u00e7\u0131klamas\u0131n\u0131 ve risk g\u00f6stergelerini bulabilirsiniz.<\/p>\n<h2>Kendinizi nas\u0131l koruyabilirsiniz?<\/h2>\n<p>Uzmanlar\u0131m\u0131z MATA ile Lazarus APT aras\u0131nda bir ba\u011flant\u0131 oldu\u011funu ve bu sistemle ger\u00e7ekle\u015ftirilen sald\u0131r\u0131lar\u0131n kesinlikle hedefli oldu\u011funu s\u00f6yl\u00fcyor. Ara\u015ft\u0131rmac\u0131lar, MATA\u2019n\u0131n geli\u015fmeye devam edece\u011finden emin. Bu y\u00fczden, k\u00fc\u00e7\u00fck \u015firketlerin bile yaln\u0131zca kitlesel tehditlere kar\u015f\u0131 de\u011fil, ayn\u0131 zamanda daha karma\u015f\u0131k tehditlere kar\u015f\u0131 da koruma sa\u011flayan ileri teknolojiler kullanmay\u0131 d\u00fc\u015f\u00fcnmesini \u00f6neriyoruz. Buna y\u00f6nelik olarak, Endpoint Protection Platform (EPP) ve Endpoint Detection and Response (EDR) \u00f6zelliklerini ekstra ara\u00e7larla birle\u015ftiren entegre bir \u00e7\u00f6z\u00fcm sunuyoruz. <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security\/endpoint-security-solution?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">\u0130nternet sitemizden<\/a> daha fazla bilgi edinebilirsiniz.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial-leadgen\">\n","protected":false},"excerpt":{"rendered":"<p>Uzmanlar\u0131m\u0131z, siber su\u00e7lular\u0131n \u00e7e\u015fitli i\u015fletim sistemlerine sald\u0131rmak i\u00e7in kulland\u0131\u011f\u0131 bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m sistemi tespit etti. <\/p>\n","protected":false},"author":2581,"featured_media":8656,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[618,1454],"class_list":{"0":"post-8655","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-hedefli-saldirilar","10":"tag-lazarus"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/mata-framework\/8655\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/mata-framework\/21618\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/mata-framework\/17082\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/mata-framework\/8456\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/mata-framework\/22890\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/mata-framework\/21077\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/mata-framework\/19759\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/mata-framework\/23556\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/mata-framework\/22387\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/mata-framework\/28793\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mata-framework\/36458\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/mata-framework\/15353\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/mata-framework\/15887\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/mata-framework\/13711\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/mata-framework\/24769\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mata-framework\/28875\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/mata-framework\/25729\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/mata-framework\/22638\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mata-framework\/27903\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mata-framework\/27739\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/hedefli-saldirilar\/","name":"hedefli sald\u0131r\u0131lar"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8655"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8655\/revisions"}],"predecessor-version":[{"id":8659,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8655\/revisions\/8659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/8656"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}