Uniden’s website was pursued to host a Word document that provides what appears to be a variety of Emotet Trojan gardens, also known as Geodo and Heodo.
Compared to Uniden’s main website offering a wide range of electronic products (radios, scanners, radar detectors, dash cameras, cellular boosters), cameras (IP, analog) and network video recorders (NVR) are the only solutions available in the commercial sector.
Emotet sitting nice and snug
The malicious Word file is stored in the “/wp – admin / legale/” folder and contains a macro that downloads an apparent variant to the Emotet URLhaus URL, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.
With the help of 265 volunteer security researchers, the URLhaus project has contributed to the dismantling of 100,000 websites active in malware distribution over a period of about 10 months.
i feel like it would have been bigger news that Uniden, a kinda major company, maker of electronic products like radio transceivers and stuff… their website has been serving malware all day long.
commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/
— JTHL (@JayTHL) 11 April 2019
The malicious document can supply three JavaScript payloads according to the URLHouse analysis and all of them have signatures for Heodo, another Emotet name.
All three are currently detected by 26 VirusTotal scanning antivirus engines. The malicious macro Word document is now detected as a threat by 20 anti-virus engines operating on the same service.
Macros in common suites, such as Microsoft Office and LibreOffice, are disabled by default, but cybercriminals have turned to social engineering to find out the victim is using the script and so start the malware download routine and give clear instructions on how to do so.
The company has been notified
Where the malware is being installed on the website is unclear, but it still exists at the time of writing, despite the company being notified of the situation on Twitter more than 24 hours ago.
The company has also received an email from BleepingComputer requesting a statement about this situation but received no reply at the time of publication.
. @Uniden_America your website is compromised. commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/ #malware
— Compromise Notifier (@YouMayBeHacked) 10 April 2019
Uniden is a major electronic equipment manufacturer, but the popularity of an organization and its size are no reason to discourage cybercriminals from hacking and storing malware.
Recently, threat scientist MalwareHunterTeam tweeted about a similar situation for his Computational Photography Lab, which had several malicious payloads, some of which were Shade ransomware, on the Northwestern University domain.
There are some malware files in this folder for some weeks now:
http://compphotolab.northwestern[.]edu/ICCP2016/wp-content/plugins/no-comments/includes/
Files: reso\.zip, hp\.gf, gr\.mpwq, msg\.jpg
First 2 seen on VT, second 2 guessed, so probably there are more…@NorthwesternU— MalwareHunterTeam (@malwrhunterteam) 28 March 2019
In this case it also took administrators more than a day to remove threats since the notification time.
