National Crime Agency brings down prolific Trojan marketplace

A website that sold hacking tools responsible for infecting thousands of machines has been seized following an internationally coordinated effort from law enforcement agencies.

Imminent Methods was a 'clearnet' site that provided hackers with tools such as the Imminent Monitor Remote Access Trojan (IM-RAT) for as little as $25 (£19), according to the National Crime Agency (NCA).

Search warrants were drafted across nine different countries, resulting in the search and seizure of articles related to the running of the website. Out of the 85 total warrants, 21 were executed in cities and regions across the UK, including London, Manchester, Leeds, Somerset, Essex and Merseyside.

Nine arrests were made in the UK, 14 globally, and more than 400 items were seized in total.

"The IM-RAT was used by individuals and organised crime groups in the UK to commit a range of offences beyond just the Computer Misuse Act, including fraud, theft and voyeurism," said Phil Larratt, NCA's National Cyber Crime Unit.

"Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data".

RATs are a type of malware that are often downloaded invisibly and usually include a backdoor that can be later exploited by the author to gain unauthorised access to a machine. Once installed, RATs can spread between machines, gradually forming a botnet to increase the amount of data the malware's distributor has access to.

Notable victims of IM-RAT include Russia-based IT service providers and an assortment of West African banks.

The total number of victims is unknown, however, it's believed at least tens of thousands of machines may have been exposed to the malware. Evidence suggests that personal details, passwords, private photographs, video footage and other sensitive data have been harvested as a result.

Law enforcement agencies were originally tipped off by the FBI which was working alongside cyber security outfit Unit 42 from Palo Alto Networks in 2017.

It's important to note that simply owning a license for the malware isn't illegal, and there are uses for it beyond criminal activity. Only when it's used it to break into computers and violate computer safety laws does it become a criminal offence.

"The offences enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far-reaching privacy and safety consequences for those affected. These are real crimes with real victims," said Chris Goldsmid, acting commander cybercrime operations at the AFP.

"We now live in a world where, for just US$25, a cybercriminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you," said Steven Wilson, head of the European Cybercrime Centre.

Unusually, Imminent Methods operated in the 'clearnet', which means it could be freely accessed by anyone using normal search engines. It's more common for cyber criminals to head to the dark web to buy and sell malware such as RATs where the seizure of the site is less likely to take place.

Interpol has long maintained that the hacking tools available to buy on the dark web are fuelling cyber crime, being one of the primary contributors to the rise of 'as a service' models.

More recently, the trend of ransomware as a service (RaaS) has been the tool of choice for cyber criminals due to the inexpensive price and high chance of profit.