Uniden commercial site compromised to distribute Emotet trojan

  • The official website of Uniden has been compromised to host an MS Word document that delivers a variant of the Emotet trojan known as Geodo and Heodo.
  • The malicious Word document is capable of delivering three JavaScript payloads and all three payloads have signatures for Geodo.

What is the issue – abuse.ch’s URLhaus project uncovered that the official website of Uniden has been compromised to host a MS Word document that delivers a variant of the Emotet trojan known as Geodo and Heodo.

“i feel like it would have been bigger news that Uniden, a kinda major company, maker of electronic products like radio transceivers and stuff… their website has been serving malware all day long. commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/,” JTHL tweeted.

The big picture

  • According to URLhaus, the malicious Word document is stored in the ‘/wp-admin/legale/’ folder and includes a macro that downloads the Emotet variant ‘Geodo’.
  • The malicious Word document is capable of delivering three JavaScript payloads and all three payloads have signatures for Geodo.

Worth noting

  • All three of payloads are currently detected by 26 antivirus engines on VirusTotal.
  • The Word document with the malicious macro is now detected as a threat by 20 antivirus engines on VirusTotal.

What’s the situation now?

Uniden was notified about the compromise via a Twitter post, however, the website still remains compromised.