Infected UNESCO Website Spreads Banking Malware

  • An online knowledge portal of UNESCO was infected by malicious listings pointing to phishing pages.
  • In many cases, macro-ridden documents were used as fetchers of the Emotet banking trojan.
  • UNESCO is currently cleaning the portal, so it’s offline, but recent visitors should scan their systems now.

The e-teams portal of the official UNESCO website contains clickbait links that redirect visitors to a malicious website that spreads the Emotet/Geodo/Mealybug banking malware. The finding belongs to the Cyble team of researchers, and they were surprised to come across Emotet signatures on such a prominent location on the clearnet.

UNESCO (United Nations Educational, Scientific and Cultural Organization) is a specialized agency and a trusty department of the UN. At the same time, the E-teams portal, in particular, is meant to serve as the online knowledge database for policy practitioners. That said, a large number of people are visiting the specific website each day.

Source: Cyble

The links planted on the site aren’t just spreading malware, but they often lead to nicely crafted phishing pages as well. There, the victims are urged to enter personal details, names, email addresses, and also bank account details. All of this is supposedly a step for an account or human verification – and combined with the fact that the person ended up there through a UNESCO website, the trick works well for the malicious actors.

However, those who are more vigilant would easily notice that the URL they ended up on has nothing to do with the United Nations.

Source: Cyble

As for Emotet, the actors are using decoy documents downloaded from the UNESCO portal to act as downloaders of the trojan. That is as long as the victim enables macros on their Office suite. Remember, Emotet is a modular malware with advanced detection-evading capabilities, and which has recently surged back to prominence following an extensive period of dormancy.

There are multiple Emotet spreading campaigns going on out there right now, and the UNESCO case is just one example. Cyble provides a long list of the indicators of compromise, while the associated graphical analysis depicts a pretty big operational size.

Source: Cyble

UNESCO was informed about the problem through multiple user reports, as some of the listings on its portal were pretty obviously planted by a third party. For example, one of the listings offered instructions on how to hack someone’s Instagram account in two minutes.

Thus, the portal is currently offline for maintenance, which is basically cleaning it from all the nasty stuff. If you have visited the portal lately and followed obscure redirections, you should now update your AV tools and run a malware scan on your system.



Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari