Law enforcement agencies from all over the world announced today they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.
According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.
The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.
Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.
Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.
The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.
The story of Imminent Monitor RAT
The Imminent Monitor RAT was created back in 2013 by a malware author going by the name of Shockwave.
Just like most shady RAT operations, the tool was promoted as a legitimate "remote management tool" meant for system administrators, yet, it was advertised on hacking forums exclusively for a particular niche of buyers -- namely, cyber-criminals.
The tool was not that popular in its early years, but as authorities arrested and took down other RATs (LuminosityLink, NanoCore, BlackShades, Orcus), new users flocked to IM-RAT over the past two years.
For example, in June 2018, Fortinet detected a spike in IM-RAT usage, when it detected a campaign targeting Russian businesses.
At the technical level, IM-RAT was on par with the features offered in other RATs, and provided access to stuff like:
Controlling a remote desktop "with hyper fast speeds exceeding 50 FPS"