Imminent Monitor Remote Access Trojan infected users from all around the world and was sold to more than 14,500 buyers
Europol, along with Eurojust, published a press release about a large scale operation, which resulted in a shut down of a widely-spread cybercriminal group behind the Remote Access Trojan Imminent Monitor. The local police raided Australian and Belgian residents' apartments and arrested 13 individuals (as well as its developer from Australia) that were involved in the malware development and distribution.
The operation was led by Australian Federal police along with forces from the FBI, Eurojust (The European Union's Judicial Cooperation Unit), Europol, UK's NCA, as well as police divisions from Sweden, France, Colombia, and other countries.
Imminent Monitor RAT (otherwise known as IM-RAT) is a remote access tool that allowed the attackers to record keystrokes, launch malicious executables, proliferate other malware, record video, harvest login details and take complete control over the infected machine. The malware (initially known as Shockwave) was used for the past six years in various cyber-espionage campaigns against organizations in Russia and other countries and was propagated via spear-phishing attacks.
As a result of a massive operation, the website that was used to sell the IM-RAT (imminentmethods.net) was shut down, consequently preventing its further use. Imminent Monitor RAT was sold around the world to approximately 14,500 individuals and managed to infect thousands of victims from 124 countries.
IM-RAT was initially used as a legitimate administration framework
While the Imminent Monitor was marketed as a legitimate remote administration tool and could be purchased for commercial use, bad actors quickly adapted it for their own purposes. Since then, law enforcement agencies around the globe worked to track down the culprits behind Imminent Monitor malware operation.
The operation began in June 2019 when the police raided the houses of RAT's developer located in Australia, as well as another affiliate from Belgium, which resulted in a complete takedown of the operation in November:
Search warrants were executed in Australia and Belgium in June 2019 against the developer and one employee of IM-RAT. Subsquently, an international week of actions was carried out this November, resulting in the takedown of the Imminent Monitor infrastructure and the arrest at this stage of 13 of the most prolific users of this Remote Access Trojan (RAT).
Eurojust-Europol indicated that, during the course of the investigation, more than 430 devices were seized and analyzed forensically. Other arrests occurred in Sweden, Spain, Poland, Czech Republic, Colombia, Australia, the Netherlands, and the UK.
Another Europol victory against cybercriminals
Remote Access Trojan malware is fairly common and is often operated by a large group of people. Although the developers of Imminent Monitor were selling the software for allegedly legitimate purposes (for merely $25), it was also largely advertised on underground hacking forums for cybercriminals.
Initially, IM-RAT did not do that well after its release in 2013, but it gained popularity in recent years among cybercriminals due to the shut down of other successful RATs, such as NanoCore, Orcus, and others. According to Eurojust-Europol, the number of victims around the world reaches tens of thousands of users, with plenty of evidence of the stolen material like photos, videos, passwords, personal information, and other data.
Nevertheless, due to Europol and combined low enforcement forces, IM-RAT is another threat that can be now considered a thing of the past, just like GozNym ransomware or xDedic website. Head of Europol, Steven Wilson, said that global cooperation of law enforcement is necessary in order to stop threats like Imminent Monitor.
Users and business owners are urged to ensure the security of their devices by employing comprehensive security software, patching systems consistently, using a Firewall, creating strong passwords, and avoiding spam email attachments or hyperlinks.