Uniden's website for commercial security products has been hacked to host a Word document that delivers what appears to be a garden variety of the Emotet trojan, also known as Geodo and Heodo.
Compared to Uniden's main website, which offers a wide range of electronic products (radios, scanners, radar detectors, dash cams, cellular boosters), the solutions available on the commercial branch are limited to cameras (both IP and analog), network video recorders (NVR).
Emotet sitting nice and snug
Discovered by threat tracker JTHL , the malicious Word file is stored in the '/wp-admin/legale/' folder and includes a macro that downloads what seems to be a variant of Emotet, according to URLhaus, a project from abuse.ch that collects, tracks and shares malicious URLs with security professionals and network administrators.
With the help of 265 volunteer security researchers, over a period of about ten months, URLhaus project contributed to taking down 100,000 websites actively engaged in malware distribution.
i feel like it would have been bigger news that Uniden, a kinda major company, maker of electronic products like radio transceivers and stuff... their website has been serving malware all day long.
— JTHL (@JayTHL) April 11, 2019
commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/
As per URLhaus analysis, Uniden's website delivers at least dozen payloads and all of them have signatures for Heodo, another name for Emotet. The project added ten malicious files today, April 12, and removed the erroneous message informing that the dangerous URL had been taken down.
Four payloads are JavaScript files, while the rest are Microsoft Word documents (.DOC). At the moment, all payloads are detected by antivirus engines on VirusTotal scanning service, and match the Heodo signatures.
Macros are disabled by default in popular suites like Microsoft Office and LibreOffice, but the cybercriminals turned to social engineering to determine the victim to activate the script and thus start the malware download routine, and offer clear instructions on how to do it.
Company has been notified
It is unclear when the malware was planted on the website, but it is still present at the moment of writing, despite the company being first alerted of the situation over Twitter more than 24 hours ago.
. @Uniden_America your website is compromised. commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/ #malware
— Compromise Notifier (@YouMayBeHacked) April 10, 2019
Furthermore, as per URLhaus procedure when a malicious URL is added, a notification was automatically sent to the network owner associated with it.
BleepingComputer has also sent the company an email requesting a statement about the current situation but did not receive a reply at publishing time.
Uniden is a major manufacturer of electronic equipment but popularity and size of an organization is no reason to dissuade cybercriminals from hacking their websites and store their malware.
Recently, threat researcher MalwareHunterTeam tweeted about a similar situation with a subdomain from the Northwestern University for its Computational Photography Lab, where he found several malicious payloads, some of them being Shade ransomware.
There are some malware files in this folder for some weeks now:
— MalwareHunterTeam (@malwrhunterteam) March 28, 2019
http://compphotolab.northwestern[.]edu/ICCP2016/wp-content/plugins/no-comments/includes/
Files: reso\.zip, hp\.gf, gr\.mpwq, msg\.jpg
First 2 seen on VT, second 2 guessed, so probably there are more...@NorthwesternU
In this case, too, it took the admins more than a day since notification time to remove the threats.
Update [04.12.2019]: Article has been edited to add the latest information from URLhaus about the new malware payloads discovered on Uniden's website.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now