Skip to content

S0434 Imminent Monitor

Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.1

Item Value
ID S0434
Associated Names
Version 1.0
Created 05 May 2020
Last Modified 10 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Imminent Monitor has a remote microphone monitoring capability.12
enterprise T1059 Command and Scripting Interpreter Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.2
enterprise T1140 Deobfuscate/Decode Files or Information Imminent Monitor has decoded malware components that are then dropped to the system.2
enterprise T1041 Exfiltration Over C2 Channel Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.2
enterprise T1083 File and Directory Discovery Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Imminent Monitor has a feature to disable Windows Task Manager.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Imminent Monitor has deleted files related to its dynamic debugger feature.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Imminent Monitor has a keylogging module.1
enterprise T1106 Native API Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.2
enterprise T1027 Obfuscated Files or Information Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.2
enterprise T1057 Process Discovery Imminent Monitor has a “Process Watcher” feature to monitor processes in case the client ever crashes or gets closed.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Imminent Monitor has a module for performing remote desktop access.2
enterprise T1496 Resource Hijacking Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.1
enterprise T1125 Video Capture Imminent Monitor has a remote webcam monitoring capability.12

Groups That Use This Software

ID Name References
G0099 APT-C-36 2