Hacked Uniden Commercial Site Serves Emotet Trojan
Uniden's website for commercial security products has been hacked to host a Word document that delivers what appears to be a garden variety of the Emotet trojan, also known as Geodo and Heodo.
Compared to Uniden's main website, which offers a wide range of electronic products (radios, scanners, radar detectors, dash cams, cellular boosters), the solutions available on the commercial branch are limited to cameras (both IP and analog), network video recorders (NVR).
Emotet sitting nice and snug
Discovered by threat tracker JTHL , the malicious Word file is stored in the '/wp-admin/legale/' folder and includes a macro that downloads what seems to be a variant of Emotet, according to URLhaus, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.
With the help of 265 volunteer security researchers, over a period of about ten months, URLhaus project contributed to taking down 100,000 websites actively engaged in malware distribution.
i feel like it would have been bigger news that Uniden, a kinda major company, maker of electronic products like radio transceivers and stuff... their website has been serving malware all day long.
commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/
— JTHL (@JayTHL) April 11, 2019
As per URLhaus analysis, the malicious document can deliver three JavaScript payloads and all of them have signatures for Heodo, another name for Emotet.
All three of them are detected by 26 antivirus engines on VirusTotal scanning service at the moment. The Word document with the malicious macro is now detected as a threat by 20 antivirus engines on the same service.
Macros are disabled by default in popular suites like Microsoft Office and LibreOffice, but the cybercriminals turned to social engineering to determine the victim to activate the script and thus start the malware download routine, and offer clear instructions on how to do it.
Company has been notified
It is unclear when the malware was planted on the website, but it is still present at the moment of writing, despite the company being first alerted of the situation over Twitter more than 24 hours ago.
. @Uniden_America your website is compromised. commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/ #malware
— Compromise Notifier (@YouMayBeHacked) April 10, 2019
BleepingComputer has also sent the company an email requesting a statement about the current situation but did not receive a reply at publishing time.
Uniden is a major manufacturer of electronic equipment but popularity and size of an organization is no reason to dissuade cybercriminals from hacking their websites and store their malware.
Recently, threat researcher MalwareHunterTeam tweeted about a similar situation with a subdomain from the Northwestern University for its Computational Photography Lab, where he found several malicious payloads, some of them being Shade ransomware.
There are some malware files in this folder for some weeks now:
http://compphotolab.northwestern[.]edu/ICCP2016/wp-content/plugins/no-comments/includes/
Files: reso.zip, hp.gf, gr.mpwq, msg.jpg
First 2 seen on VT, second 2 guessed, so probably there are more...@NorthwesternU— MalwareHunterTeam (@malwrhunterteam) March 28, 2019
In this case, too, it took the admins more than a day since notification time to remove the threats.
Gloss