Law enforcement agencies from all over the world announced that they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT) which is a hacking tool that has been on sale online for the past six years.
Europol stated in a press release that the operations were carried out in two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.
In the second stage which took place this week, the authorities took down the IM-RAT website, its backend servers, and arrested the malware’s author and 13 of the tool’s most creative users.
The arrests were made in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.
Authorities served search warrants at 85 locations and seized 430 devices which were believed to have been used for spreading the malware.
The UK National Crime Agency (NCA) got the most credit with 21 search warrants, nine arrests, and over 100 seized devices.
Imminent Monitor Remote Access Trojan
The Imminent Monitor RAT was created in the year 2013 by a malware author by the name Shockwave. It was one of the many RATs developed in the past two decades.
Similar to all shady RAT operations, the tool was promoted as a legitimate remote management tool for system administrators. But it was also advertised on hacking forums mainly for buyers like cyber-criminals.
In the early years the too wasn’t much popular, but as authorities arrested and took down other RATs (LuminosityLink, NanoCore, BlackShades, Orcus), new users emerged to IM-RAT over the past two years.
At the technical level, IM-RAT had features similar to those offered in other RATs, and had access to stuff like:
- Controlling a remote desktop “with hyper fast speeds exceeding 50 FPS”
- Controlling remote webcams “with speeds exceeding 60 FPS”
- A live keylogging feature
- Listening on real-time conversations via a computer’s microphone
- The ability to use infected devices as proxies and hide the hacker’s malicious actions against other targets
- Dumping passwords from a wide range of apps and stealing passwords
The IM-RAT was advertised in HackForums and was distributed and sold through the now-seized imminentmethods.net website, for as low as $25.
According to Europol, the tool had more than 14,500 buyers across 124 countries and was used to infect tens of thousands of victims.
When the Europol started issuing search warrants, seizing devices, and making arrests, many RAT’s users warned the hacking community of the ongoing raid.