S0434 Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.1
| Item | Value |
|---|---|
| ID | S0434 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 05 May 2020 |
| Last Modified | 10 July 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | Imminent Monitor has a remote microphone monitoring capability.12 |
| enterprise | T1059 | Command and Scripting Interpreter | Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Imminent Monitor has decoded malware components that are then dropped to the system.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.2 |
| enterprise | T1083 | File and Directory Discovery | Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Imminent Monitor has a feature to disable Windows Task Manager.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Imminent Monitor has deleted files related to its dynamic debugger feature.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Imminent Monitor has a keylogging module.1 |
| enterprise | T1106 | Native API | Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.2 |
| enterprise | T1027 | Obfuscated Files or Information | Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.2 |
| enterprise | T1057 | Process Discovery | Imminent Monitor has a “Process Watcher” feature to monitor processes in case the client ever crashes or gets closed.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Imminent Monitor has a module for performing remote desktop access.2 |
| enterprise | T1496 | Resource Hijacking | Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.1 |
| enterprise | T1125 | Video Capture | Imminent Monitor has a remote webcam monitoring capability.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0099 | APT-C-36 | 2 |