In a week of coordinated action, police forces in several countries have taken down the IM RAT malware. The action resulted in the takedown of the website selling the tool and the arrest of a number of buyers and users. Police forces also recovered a number of items including 436 laptops, phones and servers that are expected to yield further intelligence.
The operation to takedown the IM RAT was led by the Australian Federal Police. The action also involved Europol, the Belgium Police, New Zealand Police, National Police Corps of the Netherlands, the United Kingdom’s National Crime Agency, the North West Regional Crime Unit and the Federal Bureau of Investigation.
Phil Larratt from the NCA’s National Cyber Crime Unit said: “Working with the NWROCU, AFP and a range of international and European partners we were able to support the takedown of a website that was distributing malware and facilitating hacking offences. The IM RAT was used by individuals and organised crime groups in the UK to commit a range of offences beyond just the Computer Misuse Act, including fraud, theft and voyeurism.
“Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data. As part of Team Cyber UK, the NCA works with a wide range of law enforcement, government and private sector partners to affectively disrupt and deter this type of criminal activity.”
85 warrants were issued by the various police forces involved. 21 of those were in the UK and they resulted in 9 arrests and the seizure of over 100 items. The operation brings to a close an investigation that has been ongoing since 2017. It was originally started by the FBI and Palo Alto Network’s Unit 42 team.
What is IM RAT?
The Imminent Monitor Remote Action Trojan (IM RAT) is a piece of malware that allowed the complete takeover of a victims machine. Like a number of other similar pieces of software, it started life as an administration tool.
It was originally sold to allow remote administration and technical support of computers. This meant it allowed software to be turned on/off, installed, deleted, data to be recovered and users to be monitored.
Cybercriminals using the software used it to disable local security software. This meant they could install other tools, if necessary, on the remote computer. They were also able to use the camera and microphone to spy on their victim and steal their data.
The ability to monitor keystrokes also allowed them to capture users security credentials for banking, finance and even corporate sites. These are either used by the cybercriminals themselves or sold on the Dark Web.
At just US$25 per copy with and with little technical knowledge required to use it, it was increasing in popularity. The various press releases from police forces involved in the operation say that: “over 14,500 people across 124 countries are known to have purchased the tool.”
What is not known is how many of those purchased the tool for legal purposes and how many used it to steal data. The police will now be looking to decrypt data on the devices seized to see if they can find.
Enterprise Times: What does this mean
It can be a fine line between tools used for legitimate purposes and for hacking. Most administrator tools can be used for nefarious uses which often goes undetected. What is of more interest here is what happens next. There are a lot of devices to go through to work out who had been buying IM RAT. More importantly, those devices are likely to yield intelligence on other tools and communities.
This is yet another RAT taken down by law enforcement around the world and it won’t be the last. Deleting these tools is getting harder. As the low level tools disappear, there is evidence that more complex and effective tools are filling the gap. Those tools are becoming increasingly cheaper and more readily available.
Cybercrime and nation state groups are increasingly making easy to use tools accessible to low level hackers. They great a lot of noise and act as a distraction for other operations. It also increases the workload on the defenders which reduces the risk of sophisticated attacks being detected.
For now, however, score another win for the good guys.