Law Enforcement Shuts Down Imminent Monitor Malware, Makes Arrests

by
https://www.bleepstatic.com/content/hl-images/2019/09/13/InnfiRAT.jpg

Law enforcement agencies from numerous countries have shut down the Imminent Monitor Remote Access Trojan (RAT) and have arrested thirteen of its most prolific users.

In an operation led by the Australian Federal Police (AFP) and other law enforcement agencies, the site for Imminent Monitor was seized and users who used the software to illegally take over computers were arrested.

"Search warrants were executed in Australia and Belgium in June 2019 against the developer and one employee of IM-RAT. Subsquently, an international week of actions was carried out this November, resulting in the takedown of the Imminent Monitor infrastructure and the arrest at this stage of 13 of the most prolific users of this Remote Access Trojan (RAT). Over 430 devices were seized and forensic analysis of the large number of computers and IT equipment seized continues," Europol stated in a press release.

As part of this operation, over 430 devices and the software's website imminentmethods.net were seized.

https://www.bleepstatic.com/images/news/malware/i/imminent-rat/site-takedown-notice.jpg
Imminentmethods.net site seized

It is not known if the developer of Imminent Monitor RAT was arrested.

Shady RAT

For those not familiar with Remote Access Trojans, or RATs, they are malware programs that when installed on a victim's device allows an attacker to gain full access to the computer. This includes executing any command, taking screenshots, uploading and downloading files, and using the device's webcam to record video.

Many RATs, such as Imminent Monitor, are marketed as legal remote administration tools in order to avoid scrutiny by law enforcement, but are widely known to be used by attackers as part of malware campaigns.

https://www.bleepstatic.com/images/news/malware/i/imminent-rat/imminent-monitor.jpg
Imminent Monitor

For example Imminent Monitor (IM-RAT) was sold by a developer using the alias Shockwave since 2013 on the www.imminentmethods.net web site. Users could purchase it for as little as $25, which included support for configuring the software and using it.

https://www.bleepstatic.com/images/news/malware/i/imminent-rat/imminent-monitor-purchase.jpg
Imminent Monitor Purchase options

The compiled software also included messages asking users who discovered it being used maliciously to contact the developer.

Please-contact-abuse@imminentmethods.net-with-the-hardware-id-if-this-assembly-was-found-being-used-maliciously

While the developer marketed it as a legitimate tool, it was also commonly discussed on malware and hacker forums such as HackForums where users looked for support in setting it up and Shockwave was a member.

https://www.bleepstatic.com/images/news/malware/i/imminent-rat/hf-support-2.jpg
Users looking for IM-RAT support

With the amount of reports of this tool being used for malware and the discussion on illegal forums, it would be very hard for the developer to argue that he did not know how the software was being used.

Hackers suspected Imminent Monitor raid

While authorities stated that they performed searches of the Imminent Monitor developer in June, users of the software suspected that something was up for some time before that.

In April 2019, a user posted to HackForums about concerns regarding Shockwave being missing and that a raid may have been conducted regarding IM-RAT.

"Some of you are saying he is just "exit scamming" but this is not the case, I have know Shockwave for a while and he has no motive to run a way with a few $25 especially when hes made hundreds of thousands from selling the rat known as Imminent Monitor with a user base of over 30 Thousand (2018, may now be well over 45k users)."

The user goes on to speculate the possible reasons why he is no longer active at HackForums.

"Here are the possibilities of what may has happend (Possibility % is 90% to 99%)

1) Hes been arrested and has been forced to not use any electronic devices and all his personal assets such as HF account and Site have been taken.

2) He has been caughtand attempting to flee and in doing so he decided to close his threads and website to prevent anymore information from leading to him

3) There is no other reason why he would abrupt decide to leave HF with out any warning"

An update posted later that month states that Shockwave was raided and equipment seized by "feds".

"EXTrA EDIT: Bart Allen (The inspiration for this thread, i copied his whole format) confirms that ALSO shockwave (creator of IM5) was raided.
Let me just say a few things
I know where he lives he told me a year and a half ago in case anything where to happen he was contacted by feds on June of 2018 to stop all sales and gives financial info to the feds he refused and had his legal team help him for a while but now they have confiscated everything he owns but still logs in to HF sometimes to keep his account from being purged"