RAT trap

Researchers at Palo Alto Networks have revealed how they helped international law enforcement uncover the operation behind Imminent Monitor, a remote access trojan (RAT).

The cybercrime utility was on sale for around seven years from 2012 until a recent Australian Federal Police-led operation.

Coordinated law enforcement action curtailed the availability of the tool, which was used across 124 countries and sold to more than 14,500 buyers.

Issued search warrants in Australia and Belgium in June led to the arrest of the alleged developer and an accomplice. 

Follow up actions late last month resulted in the takedown of the Imminent Monitor infrastructure, and the arrest of 13 allegedly prolific users of the trojan, which sold for as little as $25. No names have been released as of yet.

The takedown of the RAT and arrest of suspected users resulted in police action in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom. European policing organization Europol played a co-ordinating role.

The Imminent Monitor trojan allowed miscreants to snoop on compromised machines. Users were able to record keystrokes, steal data and passwords, and watch the victims via their webcams, among other exploits.

Investigators recovered evidence of stolen personal details, passwords, private photographs, video footage, and more.

Palo Alto reports that Imminent Monitor has been seen in more than 115,000 unique attacks against its customers since 2012.

This nefarious activity began when a developer who used the handle "Shockwave" switched from selling a DDoS (distributed denial-of-service) "stressor" tool to concentrate on developing the Imminent Monitor RAT.

The cybercrook boasted at the time that it was “the fastest remote administration tool ever created using new socket technology that has never been used before.”

In 2014, Imminent Monitor started supporting third-party plugins, the first of which gave the ability to turn the webcam light off while monitoring, Palo Alto said.

The RAT bundled features to hide and encrypt its logs and a cryptic to skirt antivirus detection, technologies unnecessary for legitimate tools. Later versions include “protection” to help avoid detection/removal.

Despite bundling features restricted to malware the most recent sales page for Imminent Monitor continued to profess legitimacy despite features to hide the presence of the trojan on installed systems, Palo Alto notes.

More recent versions offered a non-interactive remote desktop connection, hidden from the victim, and a cryptocurrency miner.

Forum profiles for Shockwave and Imminentmethods included a common profile photo, a panda-headed business-suited avatar.

In a blog post Palo Alto details various elements of circumstantial evidence that suggest the perpetrator was an Australian resident.

Elements of this include a preference for Australian hosting and social media account registrations, among other factors.

PayPal merchant records and use of a unique handle allowed Palo Alto researchers to identify a particular Australian business as of interest in the investigation.

Unit 42, Palo Alto’s threat intelligence team, referred the suspected identity and activity of Shockwave to the Australian Federal Police (AFP) cybercrime operations teams.

In a statement, Australian police credit a referral from Unit 42 as kick starting their investigation into the Imminent Monitor RAT that began two years ago in 2017.


YOU MIGHT ALSO LIKE OpSec errors provide glimpse into the world of botnet operations