New Info Reveals ‘Profexer’ was active on Dark Web since 2011

A recent New York Times article reports that a Ukrainian hacker nicknamed ‘Profexer’ reportedly turned himself in to the FBI for assisting the Russian-run campaign to sway the 2016 US elections, dubbed “Grizzly Steppe”.

The alleged campaign included hacking the DNC and leaking its data online, thus damaging the Democratic Party’s image, as well Hillary Clinton’s.

A quick check on the closed dark web forums serving the Russian underground shows that Profexer has been active online for a long time, posting since at least 2011. The actor is mainly known for developing a PHP web-shell tool called PAS, which he uploaded to his own site:

Once uploaded to a remote server, the web-shell provides an attacker with the following features:

File manager:

- Delete / move / rename / copy / create / jump files and folders;

- Downloading files;

- Viewing and editing files;

- Sort the list of files;

- Execution of commands:

- MySQL Manager:

  • View a list of databases and tables;
  • Correct view of table contents;
  • Dump / clean / delete databases and tables (any size);
  • Executing queries with results displayed;

- Information about the server:

  • PHPInfo;
  • Apache settings;
  • hosts (win);
  • sam (win);

- View and attempt to complete processes;

- Utilities:

  • FTP checker;
  • FTP router (dictionary / rough, saving / sending results to SOAP);
  • MySQL router (dictionary / rough, saving / sending results to SOAP);
  • Send mail

According to US-issued reports on Grizzly Steppe, this specific tool was utilized during the campaign.

The report not only sheds light on the Russian involvement in the U.S. election, but also on how state-sponsored actors in general may interact with the vast online cyber-crime community.

State-sponsored actors are known for their high-level capabilities and discrete activity, which is a given as state-run cyber-campaigns often revolve around sensitive and strategic national goals. The covert nature of state-related cyber-operations would imply that state actors do not engage with the dark web cybercrime community to avoid detection and attribution.

That said, the revelation on Profexer helps prove that to some extent, state-sponsored actors interact with the dark web and most certainly utilize the various tools and methods it has to offer.

While Chinese APTs (Advanced Persistent Threats) are commonly attributed to official PLA units, Russian APTs are said by researchers to be “outsourced”. Instead of Moscow utilizing the capabilities of Russia’s most brilliant minds in a formal government organization, it is said that the Kremlin often uses the services of private civilian hackers, in exchange for compensation or turning a blind eye to their malicious activity.

Moreover, in many previous instances, APT attackers preferred using commonly known tools for their campaigns. A good example is the use of Poison IVY, a publicly available RAT (remote access tool) by Chinese and Middle Eastern APTs. That way, even when detected, the actors would be able to avoid direct attribution.

Another famous example: In July 2015, the Hacking Team, a company providing various states with hacking tools, was itself hacked. The resulting leaks shed light on how methods and tools are acquired by state actors: the Italian company had purchased zero-day vulnerabilities from hackers on the underground black market. These previously undisclosed vulnerabilities (which cost up to $500,000 on the Dark Web) could enable an attacker to penetrate even the most sensitive of systems.

The following is an ad on the Russian underground by a user who offers to buy zero-day vulnerabilities. The user’s promise for a budget of 500K USD is actually backed by his BTC account records, which show that the actor actually does have that sum of money in BTC (366 BTC, 1.5 Million USD) .

Profexer’s public BTC account is 1PASv4cHGXym7nsi6mPtjgkniMCJnrUkhp. Through that account, the actor received donations for his PAS project. The address collected around 3 BTCs (13K USD) in the actor’s several years of activity. On December 26, 2016, the address transferred 1 BTC to another address: 15wUz7cFQ3JrdRunNDBFHwEqcDMDo9MFxN, which on the same day received an overall sum of about 27 BTC (around 117K USD). It is possible that this address is also used by the actor.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.