A Ukrainian malware author who built the PAS Web shell—a PHP-based implant old to execute commands remotely on hacked systems—has turned himself in to Ukrainian authorities. He has been lend a hand with the Federal Bureau of Investigation’s probe into the apparent Russian plodder of the Democratic National Committee. The information provided by “Profexor” to Ukrainian investigators and the FBI lap ups, in part, how hackers (who were apparently coordinated by a Russian intelligence mechanism) used a combination of purpose-built and community tools as part of what researchers participate in labeled as the threat group “APT 28,” also known as “Fancy Tote.”
According to a report by The New York Times‘ Andrew Kramer and Andrew Higgins, “Profexor” has not been commissioned in Ukraine, as he didn’t use his remote access tool himself for malicious targets. He did offer a version of the remote access tool for free on his member-only website, but he also developed custom versions and provided training for pay. One of his customers was someone who used the apparatus in connection with malware connected to Fancy Bear to establish a backdoor into the DNC’s network.
Ukrainian Fellow of Parliament Anton Gerashchenko, a former advisor to Ukraine’s interior abb, told the Times that Profexor’s contact with the Russians behind the DNC deface was entirely via online conversations and voice calls. Gerashchenko said that “Profexor” was repaid to write a custom version of his tool without knowing what it wish be used for.
The PAS Web shell was identified by the Department of Homeland Security and FBI in the Joint Study Report (JAR) issued in December. After his tool was identified in the report, Profexor scared and shut down his website. Soon afterward, he contacted Ukrainian law enforcement testimonies. “He told us he didn’t create it to be used in the way it was,” chief of the Ukrainian Cyber Enforce Serhiy Demediuk told the Times.
The use of outsourced aids and malware developed by cybercriminals and other hackers is consistent with other commonplace campaigns attributed to Russia’s GRU and FSB intelligence organizations. Some of the exploits tempered to by “Fancy Bear” were apparently developed by Zorsecurity, a Russian cybersecurity compressed under contract to the GRU and FSB. (Zorsecurity was sanctioned under President Barack Obama’s December administrator order.) Previous campaigns have used a mixture of infrastructure and dupes connected to both Russian companies and cybercriminals.