A 27-year-old Liverpool, England man has been convicted on charges of computer misuse after admitting to installing the remote-access trojan (RAT) known as Imminent Monitor on three unsuspecting women’s devices.
The defendant, Scott Crowley, said in a court hearing that he used Imminent Monitor (a.k.a. IM-RAT) to hack the victims’ computer and phone webcams so he could spy on them and film them in various compromising positions, including undressing and having sex. And, the spying continued for two years, according to a report in the Liverpool Echo. He was taken into custody last November.
Crowley had purchased Imminent Monitor using his own PayPal account, which ultimately allowed the police to track him down, since it was linked to his name and email address.
The prosecutor on the case said that in examining Crowley’s computer, officers discovered three folders named after each of his victims; these contained images and videos of the women undressing, and in some cases having sex.
Crowley admitted to three counts of computer misuse and three counts of voyeurism and was sentenced to two years in jail. The court documents didn’t detail just how he was able to compromise the victims’ machines in the first place.
IM-RAT, a Freely Available Spy Tool
IM-RAT is a commodity tool that first appeared in 2012, the work of a developer going by the handle of “Shockwave.” It has always been marketed as legitimate and openly sold online, according to a recent analysis from Palo Alto Networks’ Unit 42 division – using “the fastest remote administration tool ever created using new socket technology that has never been used before,” as its tagline.
In reality, IM-RAT allows full control of a victim’s computer, including the ability to access files, processes, Windows manager, Window Registry and the clipboard and the ability to run commands from the command bar. It was licensed to each customer for a $25 fee.
In December, the RAT’s infrastructure was taken down by Australian and global authorities, who determined that the “tool” was nothing more than malicious spyware. For instance, one of the RAT’s plugins allows users to turn the webcam light off while monitoring. Another version (3.0) of IM-RAT introduced the ability to run a cryptocurrency miner on the victim machine. Also, a keylogger keeps its activities hidden from the desktop owner and encrypted.
“This software appears to have only a malicious purpose,” said Crowley’s defense attorney, Stuart Mills, according to the Echo report. “If that’s really the case, it’s surprising it’s so freely available for sale and purchase because there was no sophistication here — it was purchased with this defendant’s PayPal account and he was readily identified.” He added: “This defendant himself is not a particularly sophisticated individual.”
Stalkerware in the Sights
While the use of malware to spy on people with sexual intent is not new (in March, a ring was busted that filmed about 1,600 motel guests in various states of undress and having sex), there has been a recent increased spotlight on the scourge of such spying and so-called “stalkerware.”
The term “stalkerware” refers to both surreptitious spyware available on the Dark Web as well as applications like IM-RAT that claim to be legitimate, offered for sale through normal channels. The two have one thing in common: They allow someone to spy and track users’ whereabouts and activities – without the knowledge of the user. Nefarious use can lead to harassment, surveillance without consent, stalking and even domestic violence.
The FTC recently banned three apps from Retina-X Studios, which the agency said were “uniquely suited to illegal and dangerous uses – though the developers insisted the apps were for tracking employees and children only. And in a similar vein, last fall the Ghosty app was removed from the Google Play and Apple’s App Store. In return for sharing one’s Instagram credentials, the app would let users see the private profiles of its other users. Some called the app a “stalker paradise.”
To address these and other emerging threats, the Coalition Against Stalkerware launched in November, with Avira, Electronic Frontier Foundation, European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape and WEISSER RING all signing on.
Its purpose is to create a centralized location for helping victims of stalkerware, as well as to define what stalkerware is in the first place. Creating an agreed-upon standard definition for stalkerware along with detection criteria will help IT security professionals to communicate around the issue, the group said.
For its part, IM-RAT has been widely distributed. As of December, Palo Alto Networks said that it had collected more than 65,000 samples and has seen more than 115,000 attacks against its customers alone. However, the Australian investigation targeted not only the developers behind the RAT, but also the customers that use the software, by disabling the licensing and therefore access to the malicious code. Disturbingly, out of 14,500 customers, the AFP’s investigation noted a significant number of Australian users with domestic violence-related restraining orders against them.
In general, stalking malware is seeing alarming growth: Kaspersky analysis recently found that there were more than 518,223 cases of stalkerware infections detected by its products in the first eight months of 2019 – a 373 percent increase year-over-year.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.