AFP takes down website distributing malware used by domestic abusers

Credit: LT

Law enforcement in Australia, the Europe Union and the UK have coordinated to take down an Australian-hosted website that was used to distribute software tools for attackers to spy on targets. 

The UK’s National Crime Agency, the Australian Federal Police and Europol on the weekend revealed a joint effort to take down an Australian-hosted website the was used to distribute a remote access trojan (RAT) that was branded as Imminent Monitor or “IM”.       

Remote access tools or trojans (RAT) can be used for sophisticated spying activities but this class of software is used to stalk a partner by installing a program on the target’s computer, giving the attacker access to photos, emails and other content. 

“In Australia, a number of the IM RAT purchasers are known to be respondents to domestic violence orders,” the Australian Federal Police said in an announcement.   

IM stalker malware allowed the attacker to surreptitiously log keystrokes, which would expose passwords to Gmail and Facebook accounts, activate the webcam on a target PC, and access all local stored files, such as documents and photos. 

AFP said investigators had identified evidence of stolen personal details, passwords, private photographs, video footage and data.

But now that the criminal gang’s infrastructure has been seized and shutdown, law enforcement cannot contact current victims. 

The AFP said it had made no arrests in Australia. The UK’s NCA however carried out 21 search warrants across the UK, all aimed at suspected users of the Australian-hosted RAT. 

In total, 85 warrants were executed across the globe and 14 people were arrested, according to NCA. The AFP took down the website on Friday 29 November, killing the tool for paying subscribers. 

IM RAT was available for US$25, offering people alleged to have committed domestic abuse crimes a cheap method to monitor and potentially manipulate targets with information gathered illegally from PCs. 

The AFP says IM-RAT software was sold across 124 countries and and that sales records indicated in excess of 14,500 buyers.

There are legitimate uses of remote access tools for providing remote tech support, such as TeamViewer, however these tools have been abused in the past to deliver malware and spy on targets.    

Cybersecurity firm Palo Alto Networks assisted the AFP’s investigation and captured some of the ways the operators of Imminent Methods marketed the RAT and tried to deny responsibility for the product

Read more: Thousands of QNAP NAS devices infected by QSnatch credential stealing malware

“The services sold on this website are for personal, not distributed, use and should only be used on your own machines or the machines of those who have given you expressed consent for remote management. Remember that our tools are made for educational purpose, so we do not take any responsiblity for any damage caused by any of or tools or services. Misuse of our tools or services can be very illegal,” the Imminent Methods site said. 

Palo Alto Networks offered details that suggest the operator of the site is based in Australia, including a Twitter account that stated its owner’s location was in Queensland, an Australian phone contact number and a connected account with an Australian address.  

According to Palo Alto Networks researchers, the maker of IM RAT is a developer who uses the name “Shockwave™”. The developer started marketing his RAT as “Imminent Monitor” in 2013, and had also sold a stresser service for knocking websites offline called Shockwave Booter, but Shockwave eventually settled on the RAT product. 

Pre-takedown the imminentmethods[.]net site's “Contact us” page had an Australian phone number and time zone, and a New South Wales address address for the business “DictumFox”.

AFP notes that at the end of an international week-of-action resulting in the take down of the Imminent Monitor web page, there were 85 warrants executed internationally, 434 devices seized and 13 people arrested, but none of the arrests were made in Australia. 

So who is Shockwave? All that’s known right now is that the Shockwave and the imminent methods accounts use a common panda in a business suit. 

Suspected Imminent Monitor operator uses a panda bear disguise Credit: LT
Suspected Imminent Monitor operator uses a panda bear disguise

Read more: Developers attacked: Two Python package trojans spread via popular PyPI website

Tags malwareratremote access TrojanTeamviewerremote access tool

Show Comments