Authorities take down 'Imminent Monitor' RAT malware operation

29 Nov 2019, 13:20 by Catalin Cimpanu

Europol reports 14 arrests across eight countries, including the RAT's creator, in Australia.

https://zdnet4.cbsistatic.com/hub/i/2019/11/29/7dccf52e-8907-494f-86a9-5ab1539a40b3/ac38205993632a9dda41deba250e735d/im-rat.png — Image: ZDNet

Law enforcement agencies from all over the world announced today they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.

According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.

The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.

Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.

Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.

The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.

The story of Imminent Monitor RAT

The Imminent Monitor RAT was created back in 2013 by a malware author going by the name of Shockwave.

It was one of the many RATs developed in the past two decades.

https://zdnet3.cbsistatic.com/hub/i/2019/11/29/4d31020c-6d13-439d-be9b-a625c4783759/ebb3852cc222f272c4ff7aefb487441d/rat-history.jpg — Image: Veronica Valeros

Just like most shady RAT operations, the tool was promoted as a legitimate "remote management tool" meant for system administrators, yet, it was advertised on hacking forums exclusively for a particular niche of buyers -- namely, cyber-criminals.

The tool was not that popular in its early years, but as authorities arrested and took down other RATs (LuminosityLink, NanoCore, BlackShades, Orcus), new users flocked to IM-RAT over the past two years.

https://zdnet4.cbsistatic.com/hub/i/r/2019/11/29/f8b7ee8c-1fcb-4492-b719-d32d258e8b93/resize/370xauto/3ad09aacad59054b1a374e62fd86c790/im-panel.jpg

For example, in June 2018, Fortinet detected a spike in IM-RAT usage, when it detected a campaign targeting Russian businesses.

At the technical level, IM-RAT was on par with the features offered in other RATs, and provided access to stuff like:

Controlling a remote desktop "with hyper fast speeds exceeding 50 FPS"
Controlling remote webcams "with speeds exceeding 60 FPS"
A live keylogging feature
Listening on real-time conversations via a computer's microphone
The ability to use infected devices as proxies and hide the hacker's malicious actions against other targets
Dumping passwords from a wide range of apps and stealing passwords

The IM-RAT was advertised in places like HackForums and was distributed and sold via the now-seized imminentmethods.net website, for only $25.

Europol said the tool had more than 14,500 buyers across 124 countries and had been used to infect tens of thousands of victims.

Once Europol started serving search warrants, seizing devices, and making arrests, the operation didn't go unnoticed, and several of the RAT's users warned the hacking community of the ongoing raid.

https://zdnet1.cbsistatic.com/hub/i/2019/11/29/ebfe92ea-0ada-418e-b0f2-c570318eb8ce/4a89ba43e0a501f6885ce8d4f506842a/im-rat-raid.png — Image:ZDNet