Infected UNESCO Website Spreads Banking Malware

• An online knowledge portal of UNESCO was infected by malicious listings pointing to phishing pages.
• In many cases, macro-ridden documents were used as fetchers of the Emotet banking trojan.
• UNESCO is currently cleaning the portal, so it’s offline, but recent visitors should scan their systems now.

The e-teams portal of the official UNESCO website contains clickbait links that redirect visitors to a malicious website that spreads the Emotet/Geodo/Mealybug banking malware. The finding belongs to the Cyble team of researchers, and they were surprised to come across Emotet signatures on such a prominent location on the clearnet.

UNESCO (United Nations Educational, Scientific and Cultural Organization) is a specialized agency and a trusty department of the UN. At the same time, the E-teams portal, in particular, is meant to serve as the online knowledge database for policy practitioners. That said, a large number of people are visiting the specific website each day.

The links planted on the site aren’t just spreading malware, but they often lead to nicely crafted phishing pages as well. There, the victims are urged to enter personal details, names, email addresses, and also bank account details. All of this is supposedly a step for an account or human verification - and combined with the fact that the person ended up there through a UNESCO website, the trick works well for the malicious actors.

However, those who are more vigilant would easily notice that the URL they ended up on has nothing to do with the United Nations.

As for Emotet, the actors are using decoy documents downloaded from the UNESCO portal to act as downloaders of the trojan. That is as long as the victim enables macros on their Office suite. Remember, Emotet is a modular malware with advanced detection-evading capabilities, and which has recently surged back to prominence following an extensive period of dormancy.

There are multiple Emotet spreading campaigns going on out there right now, and the UNESCO case is just one example. Cyble provides a long list of the indicators of compromise, while the associated graphical analysis depicts a pretty big operational size.

UNESCO was informed about the problem through multiple user reports, as some of the listings on its portal were pretty obviously planted by a third party. For example, one of the listings offered instructions on how to hack someone’s Instagram account in two minutes.

Thus, the portal is currently offline for maintenance, which is basically cleaning it from all the nasty stuff. If you have visited the portal lately and followed obscure redirections, you should now update your AV tools and run a malware scan on your system.