Europol has announced that an international law enforcement crackdown against the use and distribution of the Imminent Monitor Remote Access Trojan (IM-RAT) has resulted in the arrest of 13 cyber criminals and the seizure of a large number of computers and IT equipment.
The international crackdown targeting those behind the use and distribution of the Imminent Monitor Remote Access Trojan (IM-RAT) began in June this year and subsequent actions taken in November resulted in the taking down of the covert infrastructure that supported the use and sales of the malicious remote access trojan.
“The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies in Europe, Colombia, and Australia.
“Coordinated law enforcement activity has now ended the availability of this tool, which was used across 124 countries and sold to more than 14,500 buyers. IM-RAT can no longer be used by those who bought it,” said Europol in a press release.
13 hackers behind Imminent Monitor trojan arrested in under a week
It added that the international crackdown involved law enforcement authorities in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden and the United Kingdom raiding various locations, arresting 13 of the most prolific users of the Imminent Monitor trojan, confiscating over 430 devices, and initiating forensic analysis of a large number of computers and IT equipment.
According to the National Crime Agency, as many as 21 search warrants were executed across the UK, in Greater Manchester, Merseyside, Milton Keynes, Hull, London, Leeds, Walsall, Lancashire, Nottingham, Surrey, Essex and Somerset to find and arrest suspected users of the Imminent Monitor trojan.
The operation began on 25 November and was led by the Australian Federal Police (AFP) with the North West Regional Organised Crime Unit (NWROCU) leading the UK investigation with UK activity coordinated and supported by the National Crime Agency (NCA). The operation resulted in nine arrests and the recovery of more than 100 exhibits.
“This has been a complex, challenging cyber investigation with international scope. We have been supported throughout by the AFP, the NCA and our partners in Europol and Eurojust. The UK’s Regional Organised Crime Unit (ROCU) network and Force Specialist Cyber Crime Units were pivotal during this phase of enforcement activity,” said Detective Inspector Andy Milligan from the NWROCU.
“The illicit use of IM RAT is akin to a cyber burglary, with criminals stealing data, including images and movies, secretly turning on web cams, monitoring key strokes and listening in to people’s conversations via computer microphones,” he added.
IM-RAT trojan recorded keystrokes, stole passwords, & disabled anti-malware software
Phil Larratt from the NCA’s National Cyber Crime Unit said that the Imminent Monitor trojan was available to purchase for as little as US $25 and its users were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data.
“The IM RAT was used by individuals and organised crime groups in the UK to commit a range of offences beyond just the Computer Misuse Act, including fraud, theft and voyeurism. As part of Team Cyber UK, the NCA works with a wide range of law enforcement, government and private sector partners to affectively disrupt and deter this type of criminal activity,” he added.
According to Europol, the Imminent Monitor Remote Access Trojan (IM-RAT) allowed cyber criminals to disable anti-virus and anti-malware software installed in victims’ machines, carry out commands such as recording keystrokes, stealing data and passwords and watching the victims via their webcams.
“We now live in a world where, for just US$25, a cybercriminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you. The global law enforcement cooperation we have seen in this case is integral to tackling criminal groups who develop such tools,” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).
“Whilst it’s good to see law enforcement agencies taking down RAT selling and using criminals, the pathways and services that RATs exploit remain open and hard to monitor for many organisations. Signatures exist for the most common RATs, but skilled attackers can easily customize their own RATs or build their own using common remote desktop tools such as RDP,” says Matt Walmsley, EMEA Director at Vectra.
“This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organisations exhibit a form of malicious RDP behaviours. This type of behavioural detection approach instead of trying to perfectly fingerprint each RATs’ signature can be achieved with machine learning models designed to identify the unique behaviours of RATs.
“By analysing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behaviour without prior knowledge of the attack, or individual RAT’s code,” he adds.