International Operation Dismantles Spyware Organization

Operation and Arrests

An international operation led by the Australian Federal Police (AFP) took down the Imminent Monitor web page and shut down the sale of the now-defunct Imminent Monitor Remote Access Trojan (IM-RAT). The takedown operation resulted in the arrest of 13 of the ‘most prolific’ users of the Remote Access Trojan (RAT) tool.
According to the announcement the Australian Federal Police’s Cybercrime Investigations team initiated the investigation in 2017 after receiving a referral from the FBI and Palo Alto Networks’ threat intelligence team Unit 42. Unit 42 reportedly discovered that IM-RAT which was sold for as low as $25 was used in more than 115,000 unique attacks against Palo Alto Networks clients. The Unit also acquired evidence that tied the developer of the RAT software to Australia.
In the course of the investigation law enforcement agencies established that IM-RAT was being distributed and used across 124 countries and that it may have been sold to more than 14,500 buyers.

In June 2019 cops executed search warrants in Australia and Belgium against the developer and one employee of IM-RAT. On November 25, 2019, law enforcement agencies started an international week of action. In the course of the week of action, 85 warrants were executed internationally. The searches resulted in the seizure of 434 electronic devices that included laptops, phones, and servers. The searches also led to the arrest of 13 suspects 9 of which were arrested in the UK. The week of action was culminated by the takedown of the imminentmethods.net website and the shutdown of the IM-RAT software.
IM-RAT was being sold by a developer who used the alias ‘Shockwave’ since April 2013. Shockwave claimed IM-RAT was “the fastest remote administration tool ever created using new socket technology that has never been used before.” Like other RAT developers, Shockwave made sure he distanced himself from the illicit use of IM-RAT by among other things claiming he made the tools for educational purposes only.
“Remember that our tools are made for educational purpose, so we do not take any responsibility for any damage caused by any of or tools or services. Misuse of our tools or services can be very illegal. Certain misuse could cause possible jail time or fines, which differ depending on your local laws,” a section of Shockwave’s disclaimer said.

Imminent Monitor Homepage

The “Startup” package costs $25 and is advertised as “perfect for managing a small workplace or home environments.” Customers could purchase a license through the site with Bitcoin in addition to the usual payment methods.
Law enforcement agree that the RAT tools can be used both legally and illegally. “While not all uses of IM-RAT are illegal and owning a license is not a criminal offense, the malware can be used for illegal purposes, such as gaining remote users’ complete access to a potential victim’s computer. Essentially giving the purchaser access to movement, location, online and offline activity,” the announcement said.

AFP Spokesperson Acting Commander Cybercrime Operations Chris Goldsmid said, “the offenses enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far-reaching privacy and safety consequences for those affected. These are real crimes with real victims.”
The takedown announcement did not disclose the identity of the suspects in custody. The operation is ongoing.
About Imminent Monitor

In a post on the company’s now-defunct website, the creators described the spyware as a legitimate business tool.
Imminent Monitor is an advanced System Remote Administration Tool designed for Windows based operating systems, focused on providing a fast, secure and stable replacement for competing products at a significantly lower price.

Imminent Monitor can be used to:

Fully administer Windows servers remotely

Provide remote support to clients, friends or colleagues

Connect to your home computer while you are away

Monitor employee’s work machines

Connect to your work computer while you are away

Imminent Monitor has been programmed from the ground up by our highly experienced developer with 9+ years of programming experience, over the years Imminent Monitor has received 60+ major free software updates.


Some researchers described it was fairly basic.
One wrote, in an analysis on his personal blog:
The task manager disabler functionality that Imminent provides is also quite bad. It simply executes the task manager and makes it invisible. Not exactly to rootkit standards, but I guess does the trick to the average joe?
It had an extensive list of functions though. Some of them were listed on another page on the Imminent Monitor homepage.Administration

---

File Explorer

Clean interface

Lists all drives

Ability to search files & folders

Shortcuts to popular directories

Execute files & folders

Delete files & folders

Rename files & folders

Create new folders

Set wallpaper

View list of images in directory in a gallery

Upload files

Download any file size, at fast speeds

---

Remote Desktop

Ability to stream at 60fps thanks to our motion detection algorithm

Multi-monitor support

Fullscreen support

Ability to control mouse movement, clicks & keyboard

FPS limit & bandwidth control sliders

---

Statistics

View CPU & RAM usage in the past 24 hours

View upload & download speeds in the past 24 hours

Ability to delete & refresh logs

---

Gathering Computer Specifications

Displays the following:

Client Identifier

Unique Identifier

Public IP Address

Private IP Address

MAC Address

Operating System

Computer Name

Computer Username

System Privileges

Installed Screens

Processor

Graphics Card

Ram

Ram Usage

Battery Usage

Last Reboot

Installed Anti-Virus

Firewall Status

---

Europol offered an infographic on Remote Access Trojans as well as a “how to avoid getting infected guide.”