Emotet Trojan Hacked Uniden Commercial Site Serves

Emotet malware

Uniden’s website was pursued to host a Word document that provides what appears to be a variety of Emotet Trojan gardens, also known as Geodo and Heodo.

Compared to Uniden’s main website offering a wide range of electronic products (radios, scanners, radar detectors, dash cameras, cellular boosters), cameras (IP, analog) and network video recorders (NVR) are the only solutions available in the commercial sector.

Emotet sitting nice and snug

The malicious Word file is stored in the “/wp – admin / legale/” folder and contains a macro that downloads an apparent variant to the Emotet URLhaus URL, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.

With the help of 265 volunteer security researchers, the URLhaus project has contributed to the dismantling of 100,000 websites active in malware distribution over a period of about 10 months.

The malicious document can supply three JavaScript payloads according to the URLHouse analysis and all of them have signatures for Heodo, another Emotet name.

All three are currently detected by 26 VirusTotal scanning antivirus engines. The malicious macro Word document is now detected as a threat by 20 anti-virus engines operating on the same service.

Macros in common suites, such as Microsoft Office and LibreOffice, are disabled by default, but cybercriminals have turned to social engineering to find out the victim is using the script and so start the malware download routine and give clear instructions on how to do so.

The company has been notified

Where the malware is being installed on the website is unclear, but it still exists at the time of writing, despite the company being notified of the situation on Twitter more than 24 hours ago.

The company has also received an email from BleepingComputer requesting a statement about this situation but received no reply at the time of publication.

Uniden is a major electronic equipment manufacturer, but the popularity of an organization and its size are no reason to discourage cybercriminals from hacking and storing malware.

Recently, threat scientist MalwareHunterTeam tweeted about a similar situation for his Computational Photography Lab, which had several malicious payloads, some of which were Shade ransomware, on the Northwestern University domain.

In this case it also took administrators more than a day to remove threats since the notification time.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.