{"id":45910,"date":"2022-06-21T00:48:05","date_gmt":"2022-06-20T21:48:05","guid":{"rendered":"https:\/\/kutaybilen.com.tr\/?p=45910"},"modified":"2022-06-21T00:48:05","modified_gmt":"2022-06-20T21:48:05","slug":"yeni-virus-yapilandirma-icin-youtubeyi-berbata-kullaniyor","status":"publish","type":"post","link":"https:\/\/kutaybilen.com.tr\/?p=45910","title":{"rendered":"Yeni Vir\u00fcs, Yap\u0131land\u0131rma \u0130\u00e7in Youtube&#8217;yi Berbata Kullan\u0131yor"},"content":{"rendered":"<p><strong>ESET<\/strong> ara\u015ft\u0131rmac\u0131lar\u0131, yay\u0131lmak i\u00e7in <strong>YouTube, Pastebin<\/strong> ve di\u011fer<strong> kamu platformlar\u0131n\u0131<\/strong> C2 altyap\u0131s\u0131 olarak berbata kullanan,<strong> Numando<\/strong> olarak bilinen yeni bir<strong> bankac\u0131l\u0131k truva at\u0131 vir\u00fcs\u00fc<\/strong> tespit etti. <\/p>\n<p>Bu vir\u00fcs\u00fcn arkas\u0131ndaki tehdit en az 2018\u2019den bu yana etkin ve neredeyse yaln\u0131zca Brezilya\u2019ya odaklan\u0131yor; lakin uzmanlar az de olsa Meksika ve \u0130spanya\u2019daki kullan\u0131c\u0131lara y\u00f6nelik taarruzlar oldu\u011funa da dikkat \u00e7ekiyor. Ba\u015fka Latin Amerika bankac\u0131l\u0131k truva atlar\u0131nda oldu\u011fu \u00fczere, bu yeni cins de<strong> Delphi<\/strong>\u2019de yaz\u0131lm\u0131\u015f ve hassas bilgileri ele ge\u00e7irmek i\u00e7in ge\u00e7ersiz pencereler arac\u0131l\u0131\u011f\u0131yla kurbanlar\u0131 kand\u0131rma prensibine dayan\u0131yor. <\/p>\n<p><b>Vir\u00fcs, kurbanlar\u0131n kimlik bilgilerini ama\u00e7 al\u0131yor<\/b><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0003\/27\/f5edb09dd8be5e40c505ba1d30758a8da79af8ed.jpeg\"\/><\/p>\n<p>ESET\u2019in yay\u0131nlad\u0131\u011f\u0131 tahlilde, \u201c<em>Baz\u0131 Numando t\u00fcrevleri bu imajlar\u0131 .rsrc k\u0131s\u0131mlar\u0131nda \u015fifreli bir ZIP ar\u015fivinde saklarken, \u00f6b\u00fcrleri yaln\u0131zca bu depolamaya \u00f6zel farkl\u0131 bir Delphi DLL kullan\u0131yor. Art \u00e7\u0131k\u0131\u015f yetenekleri, Numando\u2019nun fare ve klavye hareketlerini sim\u00fcle etmesine, makineyi yine ba\u015flatmas\u0131na ve taray\u0131c\u0131 i\u015flemelerini sonland\u0131rmas\u0131na imkan tan\u0131yor. <\/em>\u201c ve <em>\u201cAncak \u00f6b\u00fcr Latin Amerika bankac\u0131l\u0131k truvalar\u0131n\u0131n bilakis, t\u0131pk\u0131 vakitte bu makus gayeli yaz\u0131l\u0131m ailesini adland\u0131rmam\u0131za da ilham veren \u015fey olan, komutlar dizeler yerine say\u0131lar olarak tan\u0131mlan\u0131yor.<\/em> \u201c s\u00f6zlerine yer verdi.  <\/p>\n<p>Uzmanlar, tahlil ettikleri \u00f6teki Latin Amerika bankac\u0131l\u0131k truva atlar\u0131ndan farkl\u0131 olarak Numando\u2019nun geli\u015fme a\u015famas\u0131nda<strong> olmad\u0131\u011f\u0131n\u0131<\/strong> fark etti. <\/p>\n<p>Neredeyse yaln\u0131zca <strong>k\u00f6t\u00fc maksatl\u0131 spam kampanyalar\u0131<\/strong> taraf\u0131ndan da\u011f\u0131t\u0131lan Numando, son sald\u0131r\u0131lar\u0131nda<strong> MSI<\/strong> y\u00fckleyici i\u00e7eren bir<strong> ZIP<\/strong> eki kullanan iletiler kulland\u0131. Y\u00fckleyici; yasal bir uygulama, bir enjekt\u00f6r ve \u015fifreli bir Numando bankac\u0131l\u0131k truva DLL&#8217;si i\u00e7eren bir CAB ar\u015fivi i\u00e7eriyor. MSI\u2019\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131yla, yasal uygulama ve y\u00fck\u00fc y\u00fckleyerek \u015fifreyi \u00e7\u00f6zen enjekt\u00f6r de aktive edilmi\u015f oluyor. Numando ama\u00e7 ayg\u0131ta bir sefer kuruldu\u011funda, kurban bir finans kurulu\u015funun sitesini her ziyaret etti\u011finde kimlik bilgilerini yakalayan <strong>sahte pencereler<\/strong> olu\u015fmas\u0131na sebep olur.  <\/p>\n<p><b>Kamu hizmetlerinden faydalan\u0131yor<\/b><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.webtekno.com\/images\/editor\/default\/0003\/27\/7a0baa53fdfc6ac3328bdfefd909586d473c91d2.jpeg\"\/><\/p>\n<p>Buna ek olarak uzmanlar, bir Deplhi indiricisinin bir tuzak ZIP ar\u015fivini indirmesiyle ba\u015flayan son taarruzlarda kullan\u0131lan \u00f6teki bir <strong>da\u011f\u0131t\u0131m zincirini<\/strong> de ortaya \u00e7\u0131kard\u0131. \u0130ndirici, ZIP ar\u015fivinin i\u00e7eri\u011fini yok sayarak belgenin sonundaki ZIP evrak\u0131 yorumundan kodlanm\u0131\u015f \u015fifreli 16\u2019l\u0131k bir dize \u00e7\u0131kar\u0131yor ve bu dizenin \u00e7\u00f6z\u00fclmesi de, ger\u00e7ek<strong> y\u00fck ar\u015fivine giden farkl\u0131 bir URL<\/strong> ile sonu\u00e7lan\u0131yor. <\/p>\n<p>Raporda, \u201c<em>\u0130kinci ZIP ar\u015fivi legal bir uygulama, bir enjekt\u00f6r ve ku\u015fkulu derecede b\u00fcy\u00fck bir BMP imgesi i\u00e7eriyor. \u0130ndirici, bu ar\u015fivin i\u00e7eri\u011fini \u00e7\u0131kar\u0131p bir yandan enjekt\u00f6r\u00fc y\u00fckleyen legal uygulamay\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131nda, Numando bankac\u0131l\u0131k truva vir\u00fcs\u00fc de BMP kaplamas\u0131nda \u00e7\u0131kar ve \u00e7al\u0131\u015fmaya ba\u015flar. <\/em>\u201c ve \u201c<em>Bu BMP evrak\u0131 ge\u00e7erli bir foto\u011fraf ve \u00fcst \u00fcste bindirme basit\u00e7e g\u00f6z arkas\u0131 edildi\u011finden, g\u00f6r\u00fcnt\u00fcleyenlerin ve edit\u00f6rlerin bir\u00e7oklar\u0131nda meselesiz bir formda a\u00e7\u0131labilir,<\/em> \u201c tabirleri de ge\u00e7iyor. <\/p>\n<p>Numando,<strong> Casbaneiro<\/strong> \u00fczere \u00f6b\u00fcr makus gayeli yaz\u0131l\u0131mlar taraf\u0131ndan kullan\u0131lan bir teknik olan uzak yap\u0131land\u0131rma i\u00e7in Pastebin ve YouTube \u00fczere kamu hizmetlerinden yararlan\u0131yor. <\/p>\n<p>Numando ayr\u0131yeten fare t\u0131klamalar\u0131n\u0131 ve klavye eylemlerini<strong> sim\u00fcle edip<\/strong> PC kapatma ve tekrar ba\u015flatma fonksiyonlar\u0131n\u0131 ele ge\u00e7irebilir, ekran imajlar\u0131 alabilir ve taray\u0131c\u0131 s\u00fcre\u00e7lerini sonland\u0131rabilir. <\/p>\n<div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET ara\u015ft\u0131rmac\u0131lar\u0131, yay\u0131lmak i\u00e7in YouTube, Pastebin ve di\u011fer kamu platformlar\u0131n\u0131 C2 altyap\u0131s\u0131 olarak berbata kullanan, Numando olarak bilinen &#8230;<\/p>\n","protected":false},"author":1,"featured_media":45911,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[854],"tags":[6403,3808],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/45910"}],"collection":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=45910"}],"version-history":[{"count":1,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/45910\/revisions"}],"predecessor-version":[{"id":45912,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/posts\/45910\/revisions\/45912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=\/wp\/v2\/media\/45911"}],"wp:attachment":[{"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=45910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=45910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kutaybilen.com.tr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=45910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}