Uzmanlar\u0131m\u0131z, end\u00fcstriyel kurulu\u015flar\u0131 g\u00f6zetleyen yeni bir siber su\u00e7lu grubunun etkinliklerinin izlerini yakalad\u0131. Doland\u0131r\u0131c\u0131lar, kurbanlar\u0131n bilgisayarlar\u0131ndaki belgeleri ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n MontysThree ad\u0131n\u0131 verdi\u011fi arayan bir ara\u00e7la hedefli sald\u0131r\u0131lar ger\u00e7ekle\u015ftiriyor. Grup, yakla\u015f\u0131k olarak 2018\u2019den bu yana aktif g\u00f6r\u00fcn\u00fcyor.<\/p>\n
Siber su\u00e7lular, end\u00fcstriyel kurulu\u015flar\u0131n \u00e7al\u0131\u015fanlar\u0131na .pdf veya .doc bi\u00e7imindeki belgeler gibi g\u00f6r\u00fcnen y\u00fcr\u00fct\u00fclebilir dosya i\u00e7erikli e-postalar g\u00f6ndererek kurbanlar\u0131n bilgisayarlar\u0131na s\u0131zmak i\u00e7in klasik hedef odakl\u0131 kimlik av\u0131 tekniklerini kullan\u0131yorlar. Bu t\u00fcr dosyalar genellikle \u201cKurumsal veri g\u00fcncellemesi\u201d, \u201cTeknik \u015fartname\u201d, \u201c2019 \u00e7al\u0131\u015fanlar\u0131 telefon numaralar\u0131 listesi\u201d ve benzeri isimlere sahip oluyor. Baz\u0131 durumlarda sald\u0131rganlar, dosyalar\u0131 \u201cT\u0131bbi analiz sonu\u00e7lar\u0131\u201d veya \u201cInvitro-106650152-1.pdf\u201d (Invitro, Rusya\u2019n\u0131n en b\u00fcy\u00fck t\u0131bbi laboratuvarlar\u0131ndan biridir) gibi adlarla t\u0131bbi belge gibi g\u00f6stermeye \u00e7al\u0131\u015f\u0131yor.<\/p>\n
MontysThree, \u00e7e\u015fitli dizinlerde ve ba\u011fl\u0131 ortamlarda bulunan Microsoft Office ve Adobe Acrobat formatlar\u0131ndaki belirli belgeleri hedef al\u0131r. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m bula\u015ft\u0131ktan sonra, USERPROFILE ve APPDATA dizinlerinde bulunan .doc, .docx, .xls, .xlsx, .rtf, .pdf, .odt, .psw ve .pwd uzant\u0131lar\u0131na sahip yeni a\u00e7\u0131lan belgelerin listelerinin yan\u0131 s\u0131ra sistem s\u00fcr\u00fcm\u00fcn\u00fc, i\u015flemlerin bir listesini ve masa\u00fcst\u00fcn\u00fcn anl\u0131k g\u00f6r\u00fcnt\u00fclerini de kendi C&C sunucusuna g\u00f6ndererek kurban\u0131n bilgisayar\u0131n\u0131n profilini \u00e7\u0131kar\u0131r.<\/p>\n
Geli\u015ftiriciler, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131na bir s\u00fcr\u00fc s\u0131ra d\u0131\u015f\u0131 mekanizma uygulad\u0131lar. \u00d6rne\u011fin vir\u00fcs bilgisayara bula\u015ft\u0131ktan sonra, indirme mod\u00fcl\u00fc, steganografi kullan\u0131lan bir resimde \u015fifrelenmi\u015f ana mod\u00fcl\u00fc ay\u0131klar ve mod\u00fcl kodunu \u00e7\u00f6zer. Uzmanlar\u0131m\u0131z genellikle yap\u0131lan algoritmay\u0131 a\u00e7\u0131k kaynakl\u0131 \u00f6rneklerden kopyalaman\u0131n tersine sald\u0131rganlar\u0131n steganografi algoritmas\u0131n\u0131 s\u0131f\u0131rdan yazd\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcyor.<\/p>\n
K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, WebDAV\u2019\u0131n yan\u0131 s\u0131ra Google, Microsoft ve Dropbox gibi genel bulut hizmetlerini kullanarak C&C sunucusuyla ileti\u015fim kurar. Ayr\u0131ca ileti\u015fim mod\u00fcl\u00fc, RDP ve Citrix \u00fczerinden talepte bulunabilir. \u00dcstelik k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m geli\u015ftiricileri, kodlar\u0131na herhangi bir ileti\u015fim protokol\u00fc yerle\u015ftirmez. MontyThree bunun yerine, yasal programlar\u0131 (RDP, Citrix istemcileri, Internet Explorer) kullan\u0131r.<\/p>\n
Yard\u0131mc\u0131 bir mod\u00fcl k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131, kurban\u0131n sisteminde olabildi\u011fince uzun s\u00fcre tutmak i\u00e7in Windows H\u0131zl\u0131 Ba\u015flat panelinde bulunan k\u0131sayollar\u0131 de\u011fi\u015ftirir. B\u00f6ylece kullan\u0131c\u0131 bir k\u0131sayola t\u0131klad\u0131\u011f\u0131nda (\u00f6rne\u011fin, bir taray\u0131c\u0131ya), MontyThree y\u00fckleyici mod\u00fcl\u00fc de ayn\u0131 anda \u00e7al\u0131\u015ft\u0131r\u0131l\u0131r.<\/p>\n
Uzmanlar\u0131m\u0131z, MontysThree\u2019nin geli\u015ftiricileri ile ge\u00e7mi\u015fteki sald\u0131r\u0131lar aras\u0131nda hi\u00e7bir ba\u011flant\u0131 olmad\u0131\u011f\u0131 d\u00fc\u015f\u00fcncesinde. G\u00f6r\u00fcn\u00fc\u015fe g\u00f6re, bu tamamen yeni bir siber su\u00e7lu grubu. Kodda bulunan metin par\u00e7alar\u0131na bak\u0131l\u0131rsa da, yazarlar\u0131n ana dili Rus\u00e7a. Ayn\u0131 \u015fekilde, ana hedefleri b\u00fcy\u00fck olas\u0131l\u0131kla Rus\u00e7ay\u0131 ana ileti\u015fim dili olarak kullanan \u015firketler. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n bulundu\u011fu baz\u0131 dizinler yaln\u0131zca sistemin Kiril s\u00fcr\u00fcm\u00fcnde yer al\u0131yor. Di\u011fer yandan, uzmanlar\u0131m\u0131z sald\u0131r\u0131n\u0131n \u00c7in k\u00f6kenli oldu\u011funu ima eden ileti\u015fim hizmetleri i\u00e7in hesap ayr\u0131nt\u0131lar\u0131 bulsa da, bunlar\u0131n sald\u0131rganlar\u0131n izlerini gizlemeye y\u00f6nelik sahte i\u015faretler oldu\u011funa inan\u0131yor.<\/p>\n