Uniden’s Commercial Site Hacked to Serves Emotet Trojan

Posted by & filed under Security Alerts.

Uniden’s website for commercial security products has been hacked to host a Word document that delivers what appears to be a garden variety of the Emotet trojan, also known as Geodo and Heodo.

Compared to Uniden’s main website, which offers a wide range of electronic products (radios, scanners, radar detectors, dash cams, cellular boosters), the solutions available on the commercial branch are limited to cameras (both IP and analog), network video recorders (NVR).

Emotet sitting nice and snug

Discovered by threat tracker JTHL , the malicious Word file is stored in the ‘/wp-admin/legale/’ folder and includes a macro that downloads what seems to be a variant of Emotet, according to URLhaus, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.

With the help of 265 volunteer security researchers, over a period of about ten months, URLhaus project contributed to taking down 100,000 websites actively engaged in malware distribution.

As per URLhaus analysis, the malicious document can deliver three JavaScript payloads and all of them have signatures for Heodo, another name for Emotet.

All three of them are detected by 26 antivirus engines on VirusTotal scanning service at the moment. The Word document with the malicious macro is now detected as a threat by 20 antivirus engines on the same service.

Macros are disabled by default in popular suites like Microsoft Office and LibreOffice, but the cybercriminals turned to social engineering to determine the victim to activate the script and thus start the malware download routine, and offer clear instructions on how to do it.


Company has been notified

It is unclear when the malware was planted on the website, but it is still present at the moment of writing, despite the company being first alerted of the situation over Twitter more than 24 hours ago.

Uniden is a major manufacturer of electronic equipment but popularity and size of an organization is no reason to dissuade cybercriminals from hacking their websites and store their malware.

Recently, threat researcher MalwareHunterTeam tweeted about a similar situation with a subdomain from the Northwestern University for its Computational Photography Lab, where he found several malicious payloads, some of them being Shade ransomware.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.