{"id":29862,"date":"2022-05-20T11:30:05","date_gmt":"2022-05-20T08:30:05","guid":{"rendered":"https:\/\/kutaybilen.com.tr\/?p=29862"},"modified":"2022-05-20T11:30:05","modified_gmt":"2022-05-20T08:30:05","slug":"excel-belgesiyle-guvenlik-sistemlerini-atlatan-bir-prosedur-bu","status":"publish","type":"post","link":"https:\/\/kutaybilen.com.tr\/?p=29862","title":{"rendered":"Excel Belgesiyle G\u00fcvenlik Sistemlerini Atlatan Bir Prosed\u00fcr Bu"},"content":{"rendered":"<p>Hackerlar\u0131n sistemlere girebilmek i\u00e7in kulland\u0131klar\u0131 sistemler bazen sahiden \u015fa\u015fk\u0131nl\u0131k yaratabiliyor. Yeniden bu \u015fa\u015fk\u0131nl\u0131k yaratan metotlardan yeni bir tanesi daha ke\u015ffedildi. Bir berbat gayeli yaz\u0131l\u0131m k\u00fcmesi, <strong>ziyanl\u0131 Excel belgeleri<\/strong> olu\u015fturdu. Olu\u015fturulan bu belgelerin tespit edilme oran\u0131 bir epey d\u00fc\u015f\u00fckken g\u00fcvenlik sistemlerini atlatma oran\u0131 da bir o kadar y\u00fcksek.<\/p>\n<p>NVISO Lab&#8217;deki g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131 taraf\u0131ndan ke\u015ffedilen <strong>Epic Manchego <\/strong>isimli bu berbat gayeli yaz\u0131l\u0131m k\u00fcmesi, haziran ay\u0131ndan bu yana faal ve ziyanl\u0131 Excel belgeleri i\u00e7eren e-postalarla d\u00fcnya genelindeki \u015firketleri ama\u00e7 al\u0131yor. NVISO taraf\u0131ndan yap\u0131lan a\u00e7\u0131klamaya nazaran bunlar, standart Excel tablolar\u0131 de\u011fil. Bu ziyanl\u0131 Excel belgeleri, g\u00fcvenlik taray\u0131c\u0131lar\u0131n\u0131 atlatabiliyor.<\/p>\n<p><b>Ziyanl\u0131 Excel belgeleri<\/b><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0002\/81\/566eec3eb3103a5917a89220c8069e6838745003.jpeg\"\/><\/p>\n<p>NVISO Lab&#8217;e nazaran g\u00fcvenlik taray\u0131c\u0131lar\u0131n\u0131 atlatabilmelerinin sebebi, standart <strong>Microsoft Office<\/strong> yaz\u0131l\u0131mlar\u0131yla de\u011fil <strong>EPPlus <\/strong>ismi verilen .NET k\u00fct\u00fcphanesiyle derlenmeleri. Bu k\u00fct\u00fcphane, bir\u00e7ok formatta tablo olu\u015fturmak i\u00e7in kullan\u0131labiliyor ve hatta Excel 2019&#8217;u da destekliyor. NVISO, Epic Manchego taraf\u0131ndan olu\u015fturulan Office Open XML (OOXML) tablolar\u0131nda, Microsoft Office yaz\u0131l\u0131mlar\u0131nda derlenen Excel dok\u00fcmanlar\u0131na \u00f6zel olarak bulunan derlenmi\u015f VBA kodunun yer almad\u0131\u011f\u0131n\u0131 s\u00f6yledi.<\/p>\n<p>Bu derlenmi\u015f VBA kodu, ekseriyetle sald\u0131rgan\u0131n ziyanl\u0131 kodunun bulundu\u011fu yer oluyor. NVISO, Epic Manchego&#8217;nun ziyanl\u0131 kodlar\u0131n\u0131 \u00f6zel bir VBA format\u0131nda depolad\u0131\u011f\u0131n\u0131 ve bunun da <strong>\u015fifreli oldu\u011funu<\/strong>, bu sayede g\u00fcvenlik sistemlerini ve i\u00e7eri\u011fi tahlil eden ara\u015ft\u0131rmac\u0131lar\u0131 atlatabildi\u011fini s\u00f6z ediyor. Ayr\u0131yeten bu ziyanl\u0131 Excel dok\u00fcmanlar\u0131n\u0131 olu\u015fturmak i\u00e7in farkl\u0131 bir metot kullan\u0131lsa da EPPlus tabanl\u0131 tablolar rastgele bir Excel dok\u00fcman\u0131 \u00fczere \u00e7al\u0131\u015f\u0131yor.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0002\/81\/0a682e9bdb240dab3bbe463a4e72e31c70e582a8.jpeg\"\/><\/p>\n<p>Ziyanl\u0131 dok\u00fcmanlar, ziyanl\u0131 makro kodlar\u0131 i\u00e7erisinde bar\u0131nd\u0131r\u0131yor. \u015eayet ki Excel belgesini a\u00e7an kullan\u0131c\u0131, d\u00fczenlemeyi etkinle\u015ftir butonuna t\u0131klarsa bu makro kodlar, ziyanl\u0131 yaz\u0131l\u0131m\u0131 kurban\u0131n bilgisayar\u0131n\u0131 indirip y\u00fckl\u00fcyor. Son olarak Azorult, AgentTesla, Formbook, Matiex ve njRat \u00fczere bilgi \u00e7alan <strong>Truva at\u0131 vir\u00fcsleri<\/strong> kullan\u0131c\u0131n\u0131n taray\u0131c\u0131lar\u0131n\u0131, e-postalar\u0131n\u0131 ve FTP istemlerini Epic Machengo&#8217;nun sunucular\u0131na g\u00f6nderiyor.<\/p>\n<p>Ziyanl\u0131 Excel evraklar\u0131 olu\u015fturmak i\u00e7in EPPlus kullanmak ba\u015flang\u0131\u00e7ta Epic Manchego&#8217;nun faydas\u0131na olsa da uzun vade de k\u00fcmenin aleyhine i\u015fliyor. Tuhaf Excel belgeleri taranarak Epic Manchego&#8217;nun ge\u00e7mi\u015fteki operasyonlar\u0131 takip edilebiliyor. NVISO da bu sistemle Epic Manchego k\u00fcmesiyle <strong>ba\u011fl\u0131 200&#8217;den fazla ziyanl\u0131 Excel belgesi <\/strong>tespit etti. Bu evraklar\u0131n birincisinin ise 22 Haziran tarihli oldu\u011fu ke\u015ffedildi.<\/p>\n<p>NVISO, k\u00fcmenin bu teknikte tecr\u00fcbe kazand\u0131\u011f\u0131n\u0131 ve birinci ataktan sonra hem h\u00fccumlar\u0131n\u0131 hem de <strong>taarruzlar\u0131n\u0131n karma\u015f\u0131kl\u0131\u011f\u0131n\u0131<\/strong> art\u0131rd\u0131klar\u0131n\u0131 tabir etti. Ayr\u0131yeten bu ak\u0131nlar\u0131n\u0131n gelecekte daha geni\u015f bir kullan\u0131m alan\u0131 bulabilece\u011fini de lisana getirdi.<\/p>\n<div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Hackerlar\u0131n sistemlere girebilmek i\u00e7in kulland\u0131klar\u0131 sistemler bazen sahiden \u015fa\u015fk\u0131nl\u0131k yaratabiliyor. Yeniden bu \u015fa\u015fk\u0131nl\u0131k yaratan metotlardan &#8230;<\/p>\n","protected":false},"author":1,"featured_media":29863,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[4148,1125,1237,1713],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/29862"}],"collection":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29862"}],"version-history":[{"count":1,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/29862\/revisions"}],"predecessor-version":[{"id":29864,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/29862\/revisions\/29864"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/media\/29863"}],"wp:attachment":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}