Australians caught up in global IM-RAT takedown

An Australian-led operation targeting hackers allegedly using the Imminent Monitor Remote Access Trojan (IM-RAT) has resulted in the takedown of the Imminent Monitor web page, from which the remote access tool had been distributed. 

The investigation, led by the Australian Federal Police’s (AFP) Cybercrime Investigations teams, with international support coordinated by Europol, resulted in an operation involving several judicial and law enforcement agencies in Europe, Colombia and Australia.

According to Europol, the Remote Access Trojan (RAT), once installed undetected, had given cybercriminals free rein to victims’ systems. Using the tool, hackers were able to disable anti-virus and anti-malware software, carry out commands, steal data and passwords and watch the victims via their webcams. 

According to the AFP, while not all uses of IM-RAT are illegal, and owning a licence is not a criminal offence, the malware can be used for a variety of illegal purposes, such as gaining remote user complete access to a potential victim’s computer.

However, the RAT had long been considered a dangerous threat by law enforcement agencies, due to its features, ease of use and low cost. Indeed, anyone wanting to spy on victims or steal personal data could do so for as little as US$25.

“We now live in a world where, for just US$25, a cyber criminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you,” head of the European Cybercrime Centre, Steven Wilson, said.

The investigation into the distribution and use of the IM-RAT tool began in 2017, following a referral from the Federal Bureau of Investigation (FBI) and the threat intelligence team Unit 42 at Palo Alto Networks.

Search warrants were executed in Australia and Belgium in June 2019 against the developer of the RAT, along with one employee. 

Subsequently, an international week of action was carried out in November, resulting in the takedown of the Imminent Monitor infrastructure and the arrest of 13 of the most prolific users of the RAT.

Actions were undertaken as part of the operation in Australia, Colombia, the Czech Republic, the Netherlands, Poland, Spain, Sweden and the United Kingdom.

As a result of the action, over 430 devices were seized and forensic analysis of the large number of computers and IT equipment seized continues.

While the website from which the RAT was distributed has been taken down, the global investigation continues, with Australia working closely with its partners, the Belgium Police, New Zealand Police, National Police Corps of the Netherlands, the United Kingdom’s National Crime Agency, the North West Regional Crime Unit and the FBI.

In Australia, a number of the IM RAT purchasers are known to be respondents to domestic violence orders, according to the AFP. Mobile service centres have also been targeted by IM RAT users.

“The offences enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far reaching privacy and safety consequences for those affected. These are real crimes with real victims,” AFP spokesperson, acting commander, cybercrime operations, Chris Goldsmid said.