Uniden’s website for commercial security products has been hacked to host a Word document that delivers what appears to be a garden variety of the Emotet trojan, also known as Geodo and Heodo.
Compared to Uniden’s main website, which offers a wide range of electronic products (radios, scanners, radar detectors, dash cams, cellular boosters), the solutions available on the commercial branch are limited to cameras (both IP and analog), network video recorders (NVR).
Emotet sitting nice and snug
Discovered by threat tracker JTHL , the malicious Word file is stored in the ‘/wp-admin/legale/’ folder and includes a macro that downloads what seems to be a variant of Emotet, according to URLhaus, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.
With the help of 265 volunteer security researchers, over a period of about ten months, URLhaus project contributed to taking down 100,000 websites actively engaged in malware distribution.
All three of them are detected by 26 antivirus engines on VirusTotal scanning service at the moment. The Word document with the malicious macro is now detected as a threat by 20 antivirus engines on the same service.
Macros are disabled by default in popular suites like Microsoft Office and LibreOffice, but the cybercriminals turned to social engineering to determine the victim to activate the script and thus start the malware download routine, and offer clear instructions on how to do it.
Company has been notified
It is unclear when the malware was planted on the website, but it is still present at the moment of writing, despite the company being first alerted of the situation over Twitter more than 24 hours ago.
Uniden is a major manufacturer of electronic equipment but popularity and size of an organization is no reason to dissuade cybercriminals from hacking their websites and store their malware.
Recently, threat researcher MalwareHunterTeam tweeted about a similar situation with a subdomain from the Northwestern University for its Computational Photography Lab, where he found several malicious payloads, some of them being Shade ransomware.