What Is It?
Legitimate websites are prized by malicious actors as distribution sites for their malware. The primary reason is that a link to a legitimate website is more likely to be clicked on by potential victims. The more well known the organization, the more likely its website or entire domain is whitelisted and less likely to be blocked by security products. There are numerous examples of legitimate websites being compromised that end up serving malware of all types, including trojans and ransomware. In this case, the website of the commercial security division of electronics manufacturer Uniden was compromised.
Discovered by a threat researcher known by the Twitter handle “JTHL” found malicious Word documents stored in the site’s /wp-admin/legale directory. According to URLhaus, the malicious documents contained a macro that downloads a variant of the Emotet banking trojan (aka Hedo). Within the past year, working with 300 volunteers, the URLhaus project has assisted in the removal or remediation of approximately 100,000 sites distributing malware.
First discovered by security researchers in 2014, the Emotet trojan is mainly distributed by malicious spam emails, containing either an attached Office document with a malicious macro or a simple link to a malicious document.
Favorite lures used by the spam emails attempting to socially engineer users to open a document or click a link include perennial favorites such as unpaid invoices or undeliverable packages. Emotet, which was Initially a banking trojan, has evolved to include the theft of cryptocurrency wallets, installation of addition malware and sending of malicious spam from an infected system. The Emotet code is polymorphic, meaning it alters itself each time it’s executed, which makes it harder for legacy security products to detect. Emotet can also determine when it is being executed on a virtual machine, which slows down analysis.
How Does It Propagate?
Some Emotet variants do contain the necessary code to self-propagate, exploiting the use of poor passwords on network shares or even the EternalBlue vulnerability as used by the devasting WannaCry and NotPetya attacks. The most likely infection vector is malicious spam emails containing a link to the malicious documents hosted on the Uniden website, which users are socially engineered to click on.
When/How Did BluVector Detect It?
Fifteen malicious Word document samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected the malware in all the 15 samples. Regression testing has shown that all samples would have been detected for 62 months prior to their release.