• The official website of Uniden has been compromised to host an MS Word document that delivers a variant of the Emotet trojan known as Geodo and Heodo.
• The malicious Word document is capable of delivering three JavaScript payloads and all three payloads have signatures for Geodo.

What is the issue – abuse.ch’s URLhaus project uncovered that the official website of Uniden has been compromised to host a MS Word document that delivers a variant of the Emotet trojan known as Geodo and Heodo.

“i feel like it would have been bigger news that Uniden, a kinda major company, maker of electronic products like radio transceivers and stuff… their website has been serving malware all day long. commercial.uniden[.]com/wp-admin/legale/Nachprufung/042019/,” JTHL tweeted.

The big picture

• According to URLhaus, the malicious Word document is stored in the ‘/wp-admin/legale/’ folder and includes a macro that downloads the Emotet variant ‘Geodo’.
• The malicious Word document is capable of delivering three JavaScript payloads and all three payloads have signatures for Geodo.

Worth noting

• All three of payloads are currently detected by 26 antivirus engines on VirusTotal.
• The Word document with the malicious macro is now detected as a threat by 20 antivirus engines on VirusTotal.

What’s the situation now?

Uniden was notified about the compromise via a Twitter post, however, the website still remains compromised.