{"id":8900,"date":"2020-10-12T14:43:09","date_gmt":"2020-10-12T11:43:09","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8900"},"modified":"2020-10-12T14:43:09","modified_gmt":"2020-10-12T11:43:09","slug":"mosregressor-uefi-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/mosregressor-uefi-malware\/8900\/","title":{"rendered":"MosaicRegressor ile UEFI bootkit arac\u0131l\u0131\u011f\u0131yla k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m iletimi"},"content":{"rendered":"

Son zamanlarda, ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z Asya, Avrupa ve Afrika\u2019daki diplomatik kurumlar\u0131 ve STK\u2019lar\u0131 hedef alan geli\u015fmi\u015f hedefli bir sald\u0131r\u0131y\u0131<\/a> g\u00fcn y\u00fcz\u00fcne \u00e7\u0131kard\u0131lar. Tespit edebildi\u011fimiz kadar\u0131yla, t\u00fcm kurbanlar, k\u00e2r amac\u0131 g\u00fctmeyen faaliyetler veya diplomatik ili\u015fkiler yoluyla bir \u015fekilde Kuzey Kore ile ba\u011flant\u0131l\u0131yd\u0131.<\/p>\n

Sald\u0131rganlar, ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n MosaicRegressor ad\u0131n\u0131 verdi\u011fi geli\u015fmi\u015f mod\u00fcler bir siber casusluk \u00e7er\u00e7evesi kulland\u0131. Ara\u015ft\u0131rmam\u0131z, baz\u0131 durumlarda k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n kurbanlar\u0131n bilgisayarlar\u0131na de\u011fi\u015ftirilmi\u015f UEFI\u2019ler arac\u0131l\u0131\u011f\u0131yla girdi\u011fini ortaya \u00e7\u0131kard\u0131. Bu, son derece nadir rastlan\u0131lan bir olay. Ancak bir\u00e7ok durumda, sald\u0131rganlar daha geleneksel bir y\u00f6ntem olan hedef odakl\u0131 kimlik av\u0131n\u0131 kulland\u0131lar.<\/p>\n

UEFI nedir ve bootkit neden tehlikelidir?<\/h2>\n

Yerine ge\u00e7ti\u011fi BIOS gibi UEFI de i\u015fletim sistemi ba\u015flat\u0131lmadan bile \u00f6nce, bilgisayar \u00e7al\u0131\u015ft\u0131\u011f\u0131nda harekete ge\u00e7en bir yaz\u0131l\u0131md\u0131r. Ayr\u0131ca UEFI, sabit s\u00fcr\u00fcc\u00fcde de\u011fil, ana kartta bulunan bir yongada saklan\u0131r. Siber su\u00e7lular UEFI kodunu de\u011fi\u015ftirirse, bu kodu kurban\u0131n sistemine k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m g\u00f6ndermek i\u00e7in kullanabilmeleri de m\u00fcmk\u00fcn olur.<\/p>\n

Yukar\u0131da a\u00e7\u0131klanan sald\u0131r\u0131da ke\u015ffetti\u011fimiz \u015fey de tam olarak bu. Dahas\u0131, sald\u0131rganlar de\u011fi\u015ftirilmi\u015f UEFI donan\u0131m yaz\u0131l\u0131mlar\u0131n\u0131 olu\u015ftururken, \u00e7evrimi\u00e7i olarak s\u0131zd\u0131r\u0131lan bir Hacking Team bootkiti olan VectorEDK\u2019in kaynak kodunu kulland\u0131lar. Kaynak kodu 2015 y\u0131l\u0131nda halka a\u00e7\u0131k h\u00e2le gelmesine ra\u011fmen, bu kodu siber su\u00e7lular\u0131n kulland\u0131\u011f\u0131na dair g\u00f6rd\u00fc\u011f\u00fcm\u00fcz ilk kan\u0131t.<\/p>\n

Sistem ba\u015flad\u0131\u011f\u0131nda, bootkit k\u00f6t\u00fc ama\u00e7l\u0131 IntelUpdate.exe dosyas\u0131n\u0131 sistem ba\u015flang\u0131\u00e7 klas\u00f6r\u00fcne yerle\u015ftiriyor. Y\u00fcr\u00fct\u00fclebilir dosya, bilgisayara ba\u015fka bir MosaicRegressor bile\u015fenini indirip kuruyor. UEFI\u2019nin g\u00f6receli darl\u0131\u011f\u0131 g\u00f6z \u00f6n\u00fcne al\u0131nd\u0131\u011f\u0131nda, bu k\u00f6t\u00fc ama\u00e7l\u0131 dosya tespit edilse bile, kald\u0131r\u0131lmas\u0131 neredeyse imkans\u0131zd\u0131r. Ne dosyay\u0131 silmenin ne de i\u015fletim sistemini yeniden y\u00fcklemenin bir faydas\u0131 olur. Sorunu \u00e7\u00f6zmenin tek yolu ana kart\u0131 yeniden ba\u015flatmakt\u0131r.<\/p>\n\n

MosaicRegressor nas\u0131l tehlike yarat\u0131r?<\/h2>\n

Kurbanlar\u0131n C&C sunucular\u0131na ba\u011fl\u0131 bilgisayarlar\u0131na (g\u00fcvenli\u011fi ihlal edilmi\u015f bir UEFI veya hedef odakl\u0131 kimlik av\u0131 yoluyla) giren MosaicRegressor bile\u015fenleri, ek mod\u00fcller indirip \u00e7al\u0131\u015ft\u0131rd\u0131. Daha sonra, bu mod\u00fcller bilgi \u00e7almak i\u00e7in kullan\u0131ld\u0131. \u00d6rne\u011fin, bir tanesi yak\u0131n zamanda a\u00e7\u0131lm\u0131\u015f belgeleri siber su\u00e7lulara g\u00f6nderdi.<\/p>\n

C&C sunucular\u0131yla ileti\u015fim kurmak i\u00e7in \u00e7e\u015fitli mekanizmalar kullan\u0131ld\u0131: cURL kitapl\u0131\u011f\u0131 (HTTP\/HTTPS i\u00e7in), Arka Plan Ak\u0131ll\u0131 Aktar\u0131m Hizmeti (BITS) arabirimi, WinHTTP programlama arabirimi ve POP3S, SMTPS veya IMAPS protokol\u00fcn\u00fc kullanan genel posta hizmetleri.<\/p>\n

Bu Securelist yaz\u0131s\u0131<\/a>, risk g\u00f6stergelerine ek olarak k\u00f6t\u00fc ama\u00e7l\u0131 MosaicRegressor \u00e7er\u00e7evesinin daha ayr\u0131nt\u0131l\u0131 bir teknik incelemesini payla\u015f\u0131yor.<\/p>\n

Kendinizi MosaicRegressor\u2019dan nas\u0131l korursunuz<\/h2>\n

MosaicRegressor\u2019dan korunmak i\u00e7in etkisiz hale getirmeye kar\u015f\u0131 ilk tehdit, en geli\u015fmi\u015f sald\u0131r\u0131lar\u0131n ba\u015flang\u0131\u00e7 noktas\u0131 olan hedef odakl\u0131 kimlik av\u0131d\u0131r. Bu tip sald\u0131r\u0131lar konusunda \u00e7al\u0131\u015fanlar\u0131n\u0131z\u0131n bilgisayarlar\u0131nda maksimum koruma sa\u011flamak i\u00e7in, kimlik av\u0131na kar\u015f\u0131 geli\u015fmi\u015f koruma teknolojileri ile g\u00fcvenlik \u00fcr\u00fcnlerini bir arada kullanman\u0131z\u0131 ve \u00e7al\u0131\u015fan bilinci olu\u015fturmak i\u00e7in e\u011fitim<\/a> verilmesini \u00f6neriyoruz.<\/p>\n

G\u00fcvenlik \u00e7\u00f6z\u00fcmlerimiz<\/a>, veri h\u0131rs\u0131zl\u0131\u011f\u0131 ile g\u00f6revlendirilmi\u015f k\u00f6t\u00fc ama\u00e7l\u0131 mod\u00fclleri tespit eder.<\/p>\n

G\u00fcvenli\u011fi ihlal edilen donan\u0131m yaz\u0131l\u0131m\u0131na gelince, maalesef bootkit setinin kurbanlar\u0131n bilgisayarlar\u0131na nas\u0131l girdi\u011fini tam olarak bilmiyoruz. HackingTeam s\u0131z\u0131nt\u0131s\u0131ndan elde edilen verilere dayanarak, sald\u0131rganlar\u0131n muhtemelen fiziksel eri\u015fime ihtiyac\u0131 oldu\u011funu ve makinelere vir\u00fcs bula\u015ft\u0131rmak i\u00e7in bir USB s\u00fcr\u00fcc\u00fc kulland\u0131klar\u0131n\u0131 s\u00f6ylemek m\u00fcmk\u00fcn. Ancak, di\u011fer UEFI ihlal y\u00f6ntemleri g\u00f6z ard\u0131 edilemez.<\/p>\n

MosaicRegressor UEFI bootkit\u2019ine kar\u015f\u0131 koruma sa\u011flamak i\u00e7in:<\/p>\n