A website (and its supporting infrastructure) which sold a variety of hacking tools to other would-be cybercriminals has been closed down after an investigation by agencies from multiple countries including the UK’s National Crime Agency (NCA).
The main tool that the agencies were particularly interested in eradicating was the Imminent Monitor Remote Access Trojan (IM-RAT) which is a hacking tool, of Australian origin, which has been on sale for 6 years and was available for sale via the Imminent Monitor website.
According to Europol, once installed on a victim’s computer the IM-RAT malware, which could be purchased for as little as $25, allowed cybercriminals to secretly “disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”.
Big International Operation
The investigation and the operation to shut down the sale of IM-RAT was led by the Australian Federal Police (AFP) and involved judicial and law enforcement agencies in Europe, Colombia and Australia, and was coordinated by Europol and Eurojust.
Coordinated law enforcement activity has now ended the availability of IM-RAT, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.
In a week of actions (in November), the international agencies dismantled the infrastructure of IM-RAT, arrested 14 of its most prolific users and seized over 430 devices for forensic analysis.
Back in June, search warrants were executed in Australia and Belgium against the developer and one employee of IM-RAT and most recently, actions to fully shut down the distribution of IM-RAT have also been taken in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden and the UK.
In the UK, it has been reported that the NCA searched properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey in relation to the investigation.
The shutting down of the whole IM-RAT infrastructure, and the detailed analysis of the malware and the website used to sell it mean that IM-RAT can no longer be used.
Tens of Thousands of Victims
With the IM-RAT malware/hacking tool being so widely used, Europol believes that there are probably tens of thousands of victims around the world, and so far, investigators have been able to find evidence of stolen personal details, passwords, private photographs, video footage and data.
Although IM-RAT allows cybercriminals to secretly take control of a computer, there are some common signs which indicate that a computer may have been infected with IM-RAT. These signs include an unusually slow internet connection, unknown processes running in a system (which are visible in the Task Manager, Processes tab), files being modified or deleted without your permission, and unknown programs being installed on your device (visible in the Control Panel, Add or Remove Programs).
What Does This Mean For Your Business?
For businesses, this kind of malware caused considerable problems, not least in terms of data protection, disruption, industrial espionage and extortion, and left their devices wide open to hackers. This internationally co-ordinated move by multiple agencies is an important step in the battle against so-called ‘crime as a service’ and bulletproof hosting where organised gangs have sought to profit from crimes that they can carry out from a distance via the Internet.
If you believe that your device may have been infected by IM-RAT, the Europol advice is to disconnect your device from the network in order to prevent any additional malicious activity, install trustworthy security software, and run a scan of your device using security software. When you’re satisfied that you’ve removed the infection, change the passwords for your online accounts and check your banking activity.
Some general steps you can take to guard against falling victim to malware include keeping your anti-virus software and patching up to date, installing a firewall, only using strong passwords (that aren’t shared across different accounts), covering up your webcam when its not in use, regularly backing up your data, and making sure that you don’t open any suspicious-looking emails and attachments even if they do come from people on your contact list.