The Rat Trap: international cybercrime investigation shuts down insidious malware operation

A tool allowing cybercriminals to remotely and secretly gain control over a victim’s computer is no longer available as a result of an Australian-led operation targeting hackers allegedly using the Imminent Monitor Remote Access Trojan (IM-RAT).

An investigation led by the Australian Federal Police’s (AFP) Cybercrime Investigations teams, with international activity coordinated by Europol, resulted in an operation involving more than a dozen law enforcement agencies in Europe and Australia.

Once installed upon a victim’s computer the, now defunct, IM-RAT software allowed a remote user to access and view documents, photographs and other files, record all the keystrokes entered and even activate the webcam on the victim’s computer – all of which could be done without the victim’s knowledge.

In Australia, a number of the IM RAT purchasers are known to be respondents to domestic violence orders. Mobile service centres have also been targeted by IM RAT users, demonstrating the broad range of criminal applications this malware can be used for.

The number of victims is unknown but estimates suggest it could globally be in the tens of thousands. Investigators have identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts continues, with investigators working to identify potential victims. However with the source-software now no longer available, access to victims has been shut off.

This investigation began in 2017 following a referral from the Federal Bureau of Investigation (FBI) and the threat intelligence team Unit 42 at Palo Alto Networks.

Today marks the last day of an international week-of-action resulting in the take down of the Imminent Monitor web page. As a result of this week-of-action there have been 85 warrants executed internationally, 434 devices seized (laptops, phones, servers etc.) and 13 people arrested (none in Australia).

The global investigation remains ongoing with Australia working closely with our partners in the Belgium Police, New Zealand Police, National Police Corps of the Netherlands, the United Kingdom’s National Crime Agency, the North West Regional Crime Unit and the Federal Bureau of Investigation.

The investigation has uncovered a network of individuals who supported the distribution and use of the IM-RAT software across 124 countries and with sales records showing there may more than 14,500 buyers. IM-RAT was advertised via a website dedicated to hacking and the use of criminal malware, with a license costing as little as US$25 and requiring little technical knowledge to be deployed.

While not all uses of IM-RAT are illegal and owning a licence is not a criminal offence, the malware can be used for illegal purposes, such as gaining remote user complete access to a potential victim’s computer. Essentially giving the purchaser access to movement, location, online and offline activity.

AFP Spokesperson Acting Commander Cybercrime Operations Chris Goldsmid said the success of the investigation was a testament to the vital importance of international law enforcement cooperation. 

“These partnerships are critical to law enforcement being able to respond to rapidly-evolving and increasingly global crime types. We are proud to work with our international counterparts to help prevent people falling victim to spyware.

“The offences enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far reaching privacy and safety consequences for those affected. These are real crimes with real victims.”  A/Commander Goldsmid said

Head of the European Cybercrime Centre Steven Wilson said, “We now live in a world where, for just US$25, a cybercriminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you.”

“The global law enforcement cooperation we have seen in this case is integral to tackling criminal groups who develop such tools.

“It is also important to remember some basic steps can prevent you falling victim to such spyware: we continue to urge the public to ensure their operating systems and security software are up to date,” Mr Wilson said

IMPORTANT: If you think you may be victim of the IM-RAT malware, information on what to do next can be found on the AFP website.

Editor’s note: Domestic and international warrant footage and piece-to-camera grabs can be downloaded from the following HighTail link.

Media enquiries
AFP National Media: (02) 5126 9297

National Security Hotline

Read the AFP Annual Report 2018-19

The Australian Centre to Counter Child Exploitation

Platypus Online: Read. Discover. Enjoy.