{"id":30679,"date":"2024-11-21T04:00:00","date_gmt":"2024-11-21T01:00:00","guid":{"rendered":"https:\/\/rockvell.com\/?p=30679"},"modified":"2024-11-21T12:09:59","modified_gmt":"2024-11-21T09:09:59","slug":"bacarirsansa-tut-m%c9%99ni-kaspersky-gizli-sifr%c9%99l%c9%99m%c9%99-funskiyalarina-malik-fidy%c9%99-proqrami-askarlayib","status":"publish","type":"post","link":"https:\/\/rockvell.com\/?p=30679","title":{"rendered":"Bacar\u0131rsansa, tut m\u0259ni"},"content":{"rendered":"\n

Bacar\u0131rsansa, tut m\u0259ni: Kaspersky gizli \u015fifr\u0259l\u0259m\u0259 funskiyalar\u0131na malik fidy\u0259 proqram\u0131 a\u015fkarlay\u0131b<\/strong><\/p>\n\n\n\n

Kaspersky Qlobal Kiber \u0130nsidentl\u0259r\u0259 Cavab Qrupu (Kaspersky GERT) qurban se\u00e7ilmi\u015f t\u0259\u015fkilat\u0131n m\u0259lumatlar\u0131n\u0131 a\u015fkarlanmadan yan ke\u00e7\u0259r\u0259k \u015fifr\u0259l\u0259m\u0259k \u00fc\u00e7\u00fcn qabaqc\u0131l mexanizml\u0259rd\u0259n istifad\u0259 ed\u0259n yeni fidy\u0259 proqram\u0131 a\u015fkar edib. Z\u0259r\u0259rli proqram Saturn planetinin nizams\u0131z peykinin \u015f\u0259r\u0259fin\u0259 \u201cYmir\u201d adland\u0131r\u0131l\u0131b. Bu peyk orbitd\u0259 planetin f\u0131rlanmas\u0131na \u0259ks istiqam\u0259td\u0259 h\u0259r\u0259k\u0259t edir. \u201cYmir\u201d ad\u0131 z\u0259r\u0259rli proqram t\u0259r\u0259find\u0259n istifad\u0259 edil\u0259n yadda\u015f idar\u0259etm\u0259 funksiyalar\u0131n\u0131n qeyri-standart birl\u0259\u015fm\u0259sini \u0259ks etdirir.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

\u201cYmir\u201d nec\u0259 a\u015fkarlan\u0131b<\/strong>. Kaspersky m\u00fct\u0259x\u0259ssisl\u0259ri Kolumbiyada bir t\u0259\u015fkilata bir ne\u00e7\u0259 m\u0259rh\u0259l\u0259d\u0259 edilmi\u015f h\u00fccumu t\u0259hlil ed\u0259rk\u0259n \u201cYmiri\u201d a\u015fkar edibl\u0259r. Birincisi, t\u0259cav\u00fczkarlar i\u015f\u00e7il\u0259rin korporativ hesab m\u0259lumatlar\u0131n\u0131 o\u011furlamaq \u00fc\u00e7\u00fcn \u201cRustyStealer\u201d stilerind\u0259n istifad\u0259 edibl\u0259r. Bu, onlara sistem\u0259 giri\u015f \u0259ld\u0259 etm\u0259k v\u0259 sonra fidy\u0259 proqram\u0131n\u0131 yeritm\u0259k \u00fc\u00e7\u00fcn kifay\u0259t q\u0259d\u0259r uzun m\u00fcdd\u0259t \u0259rzind\u0259 ona n\u0259zar\u0259t etm\u0259y\u0259 imkan verdi.<\/p>\n\n\n\n

T\u0259cav\u00fczkarlar\u0131n bu c\u00fcr davran\u0131\u015f\u0131, y\u0259ni sistem\u0259 n\u00fcfuz edib v\u0259 bir m\u00fcdd\u0259t orada qalmaq, qondarma \u201cilkin giri\u015f brokerl\u0259ri\u201d \u00fc\u00e7\u00fcn xarakterikdir. Onlar ad\u0259t\u0259n h\u00fccuma m\u0259ruz qalan sistem\u0259 giri\u015f m\u0259lumatlar\u0131n\u0131 qaranl\u0131q internetd\u0259 dig\u0259r t\u0259cav\u00fczkarlara sat\u0131rlar. Lakin, bu halda, t\u0259cav\u00fczkarlar \u00e7ox g\u00fcman ki, bunu etm\u0259yib v\u0259 fidy\u0259 proqram\u0131n\u0131 i\u015f\u0259 sal\u0131blar.<\/p>\n\n\n\n

“\u018fg\u0259r qondarma “brokerl\u0259r” v\u0259 fidy\u0259 proqram\u0131n\u0131 sistem\u0259 yerid\u0259nl\u0259r eyni insanlard\u0131rsa, \u0259sas tendensiyadan k\u0259nara \u00e7\u0131xma haqq\u0131nda dan\u0131\u015fmaq olar: t\u0259cav\u00fczkarlar\u0131n \u015fifr\u0259l\u0259m\u0259ni xidm\u0259t kimi ( RaaS) t\u0259klif ed\u0259n \u0259n\u0259n\u0259vi qruplara etibar etm\u0259d\u0259n hakerlik etm\u0259k \u00fc\u00e7\u00fcn \u0259lav\u0259 imkanlar\u0131 var\u201d, – dey\u0259 Kaspersky-nin Qlobal komp\u00fcter insidentl\u0259rin\u0259 reaksiya qrupunun r\u0259hb\u0259ri Konstantin Sapronov qeyd edir.<\/p>\n\n\n\n

T\u0259cav\u00fczkarlar z\u0259r\u0259rli kodu bilavasit\u0259 yadda\u015fda icra etm\u0259k \u00fc\u00e7\u00fcn malloc<\/a>, memmove<\/a> v\u0259\u00a0memcmp<\/a> funksiyalar\u0131n\u0131n qeyri-standart kombinasiyas\u0131ndan istifad\u0259 edibl\u0259r. Bu yana\u015fma \u00fcmumi fidy\u0259 proqramlar\u0131nda istifad\u0259 olunan tipik ard\u0131c\u0131l icraetm\u0259 ax\u0131n\u0131ndan f\u0259rql\u0259nir v\u0259 a\u015fkarlanmadan daha effektiv \u015f\u0259kild\u0259 yay\u0131nma\u011fa imkan verir.<\/p>\n\n\n\n

Bundan \u0259lav\u0259, \u201cYmir\u201d t\u0259cav\u00fczkarlara fayllar\u0131 ist\u0259y\u0259 uy\u011fun \u015fifr\u0259l\u0259m\u0259y\u0259 imkan verir ki, bu da onlara v\u0259ziyy\u0259t\u0259 daha \u00e7ox n\u0259zar\u0259t etm\u0259k f\u00fcrs\u0259ti yarad\u0131r. \u201cPath\u201d \u0259mrind\u0259n istifad\u0259 ed\u0259r\u0259k t\u0259cav\u00fczkarlar fidy\u0259 proqram\u0131n\u0131n m\u0259lumat axtarmal\u0131 oldu\u011fu qovlu\u011fu t\u0259yin ed\u0259 bil\u0259rl\u0259r. Fayl a\u011f siyah\u0131dad\u0131rsa, z\u0259r\u0259rli proqram ondan yan ke\u00e7\u0259c\u0259k v\u0259 \u015fifrl\u0259m\u0259y\u0259c\u0259k.<\/p>\n\n\n\n

Qabaqc\u0131l \u015fifr\u0259l\u0259m\u0259 alqoritmi<\/strong>. Fidy\u0259 proqram\u0131 y\u00fcks\u0259k s\u00fcr\u0259t v\u0259 t\u0259hl\u00fck\u0259sizliy\u0259 malik m\u00fcasir ax\u0131n \u015fifr\u0259si olan \u201cChaCha20\u201dd\u0259n istifad\u0259 edir. Onun performans\u0131 \u201cAdvanced Encryption Standard\u201d (AES) \u015fifr\u0259l\u0259m\u0259 alqoritmind\u0259n \u00fcst\u00fcnd\u00fcr.<\/p>\n\n\n\n

T\u0259cav\u00fczkarlar m\u0259lumat o\u011furlu\u011fu bar\u0259d\u0259 ictimaiyy\u0259t\u0259 m\u0259lumat verm\u0259s\u0259l\u0259r d\u0259 v\u0259 ya h\u0259r hans\u0131 t\u0259l\u0259b ir\u0259li s\u00fcrm\u0259s\u0259l\u0259r d\u0259, ekspertl\u0259r h\u0259r hans\u0131 yeni f\u0259aliyy\u0259ti yax\u0131ndan izl\u0259m\u0259y\u0259 davam edirl\u0259r. \u201c\u0130ndiy\u0259 q\u0259d\u0259r biz fidy\u0259 proqram\u0131 il\u0259 h\u00fccum ed\u0259n yeni qruplar\u0131n meydana \u00e7\u0131xd\u0131\u011f\u0131n\u0131 g\u00f6rm\u0259mi\u015fik. Tipik olaraq, t\u0259cav\u00fczkarlar qurbanlardan fidy\u0259 t\u0259l\u0259b etm\u0259k \u00fc\u00e7\u00fcn qaranl\u0131q internetd\u0259 forumlarda v\u0259 ya portallarda m\u0259lumat s\u0131zmas\u0131 haqq\u0131nda m\u0259lumat d\u0259rc edirl\u0259r. Lakin \u201cYmir\u201d m\u0259s\u0259l\u0259sind\u0259 bu h\u0259l\u0259 ba\u015f verm\u0259yib. Buna g\u00f6r\u0259 d\u0259 yeni fidy\u0259 proqram\u0131n\u0131n arxas\u0131nda kimin dayand\u0131\u011f\u0131 sual\u0131 a\u00e7\u0131q qal\u0131r. \u0130nan\u0131r\u0131q ki, bu, yeni kampaniya ola bil\u0259r\u201d, – dey\u0259 Konstantin izah edib.<\/p>\n\n\n\n

Kaspersky-nin h\u0259ll\u0259ri yeni proqram\u0131 \u201cTrojan-Ransom.Win64.Ymir.gen\u201d olaraq a\u015fkar edir. T\u0259f\u0259rr\u00fcatlar \u00fc\u00e7\u00fcn Securelist<\/a> x\u00fclas\u0259sin\u0259 baxa bil\u0259rsiniz.<\/p>\n\n\n\n

Riskl\u0259ri azaltmaq \u00fc\u00e7\u00fcn Kaspersky m\u00fct\u0259x\u0259ssisl\u0259ri t\u00f6vsiy\u0259 edirl\u0259r:<\/p>\n\n\n\n