Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


AFP Investigation leads to IM-RAT takedown

Access to a Remote Access Trojan (RAT) known as Imminent Monitor RAT (IM-RAT) has been shut down after a recent investigation led by the Australian Federal Police (AFP). The author of IM-RAT began selling access to the tool in April 2013 with all the typical features seen in most commodity RATs. For the lifetime of the trojan, it remained cheap. A mere $25 was enough to “control unlimited machines.” The number of victims is currently unknown, though the AFP estimates this to be “in the tens of thousands.” Investigations like these often rely on support from tips from private companies. In 2017, tips from the FBI and Palo Alto Networks’ Unit 42 helped kickstart the investigation involving more than a dozen law enforcement agencies from Australia and Europe with international coordination efforts by Europol. The takedown of IM-RAT has been extensive with 85 search warrants executed internationally, over 400 devices seized and 13 people arrested. Even now there are ongoing efforts to uncover individuals who have supported the distribution across 124 countries and more than 14,500 buyers.

Analyst Notes

Law enforcement agencies often rely on tips from businesses or other agencies. Companies like Binary Defense assist law enforcement whenever possible by passing along information from our own investigations as appropriate, and only when it does not involve our clients’ information. A business doesn’t always need to be security-oriented to assist law enforcement. It’s not uncommon for any business to become infected with malware. Reporting these infections to law enforcement (usually the FBI and the Secret Service in the US) when found could provide vital clues like a malware’s targeted organizations, updated versions or variants of the malware, or even trails leading to the identity of the actor.