Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Imminent Monitor has decoded malware components that are then dropped to the system.[2] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.[2] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Imminent Monitor has a feature to disable Windows Task Manager.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.[2] |
|
| Enterprise | T1106 | 本机API |
Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[2] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Imminent Monitor has deleted files related to its dynamic debugger feature.[2] |
| Enterprise | T1125 | 视频捕获 |
Imminent Monitor has a remote webcam monitoring capability.[1][2] |
|
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking |
Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.[1] |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Imminent Monitor has a keylogging module.[1] |
| Enterprise | T1057 | 进程发现 |
Imminent Monitor has a "Process Watcher" feature to monitor processes in case the client ever crashes or gets closed.[1] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Imminent Monitor has a module for performing remote desktop access.[2] |
| Enterprise | T1041 | 通过C2信道渗出 |
Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.[2] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.[2] |
| Enterprise | T1123 | 音频捕获 |
Imminent Monitor has a remote microphone monitoring capability.[1][2] |
|