The developers behind a commodity remote-access tool (RAT) that allows full control of a victim’s computer has been taken down by Australian and global authorities.
The Imminent Monitor RAT (IM-RAT) first appeared in 2012, the work of a developer going by the handle of “Shockwave,” according to researchers at Palo Alto Networks’ Unit 42 division. The RAT was sold via a company calling itself “Imminent Methods.”
Advertised as “the fastest remote administration tool ever created using new socket technology that has never been used before,” Unit 42 said that IM-RAT offered full remote-desktop access. That included the ability to access files, processes, Windows manager, Window Registry and the clipboard and the ability to run commands from the command bar. It was licensed to each customer for a $25 fee.
Shockwave claimed that the RAT was a legitimate remote-desktop utility, but Unit 42 researchers pointed out that some of its features directly contradicted that assertion. For instance, one of the RAT’s plugins allows users to turn the webcam light off while monitoring. Another version (3.0) of Imminent Monitor introduced the ability to run a cryptocurrency miner on the victim machine. Also, the keylogger keeps its activities hidden from the desktop owner and encrypted.
“A crypter, allowing a ‘Fully UnDetectable’ (FUD) client, only has one purpose: To attempt to evade antivirus detection,” according to Unit 42’s analysis, posted Monday.
Still, “we at Imminent Methods are not responsible for the nature in which you use our services,” a disclaimer for the RAT read. “The services sold on this website are for personal, not distributed, use and should only be used on your own machines or the machines of those who have given you expressed consent for remote management.”
In its investigation, Unit 42 uncovered several clues that tied Shockwave to Australia. Infrastructure research showed a definite preference for Australian hosting providers. The Twitter account, called “imminentmethods”, includes a location of Queensland, Australia and the imminentmethods[.]net “Contact us” page had an Australian phone number and time zone, and a New South Wales, Australia address which comes back to a small-business services address.
Accordingly, the takedown action was a result of an international law enforcement operation led by the Australian Federal Police (AFP). However, Europol, the FBI, Canada’s telecom regulator, and judicial and law enforcement agencies in Europe, Colombia and Australia all contributed to the effort.
Europol announced that search warrants were executed in Australia and Belgium in June 2019 against the developer and one employee of IM-RAT.
“Subsequently, an international week of actions was carried out this November, resulting in the takedown of the Imminent Monitor infrastructure and the arrest at this stage of 13 of the most prolific users of this Remote Access Trojan (RAT),” the agency said. “Over 430 devices were seized and forensic analysis of the large number of computers and IT equipment seized continues.”
IM-RAT has been widely distributed. Palo Alto Networks has collected more than 65,000 samples and has seen more than 115,000 attacks against its customers alone. However, the Australian investigation targeted not only the developers behind the RAT, but also the customers that use the software, by disabling the licensing and therefore access to the malicious code. Disturbingly, out of 14,500 customers, the AFP’s investigation noted a significant number of Australian users with domestic violence-related restraining orders against them.
“With the successful execution of the AFP’s operation, licensed Imminent Monitor builders will no longer be able to produce new client malware nor can the controllers access their victims,” Palo Alto noted. “Although cracked versions already exist and will continue to circulate, they can’t benefit from bug fixes, feature enhancements, support or efforts to improve their undetectability. Ironically, these versions often carry malicious payloads, acting as infection vectors to the criminals who would use them, themselves.”