Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections
Summary:
In September 2024, the Trend Micro’s Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities. This flaw allowed attackers to bypass Windows Mark-of-the-Web protections by double-archiving files, preventing security checks from detecting malicious content. Russian cybercrime groups leveraged this exploit in spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick both users and the Windows operating system into executing malware. The exploit was actively used for cyberespionage against Ukrainian government agencies and private organizations, likely in support of Russia’s ongoing cyber operations during the Russo-Ukrainian conflict.
ZDI formally disclosed the vulnerability to 7-Zip creator Igor Pavlov on October 1, 2024, leading to the release of a security patch in version 24.09 on November 30, 2024. Prior to this patch, the flaw allowed attackers to encapsulate a malicious payload within nested archives, preventing Windows Defender SmartScreen and other security mechanisms from recognizing the file as untrusted. This method enabled the execution of scripts such as JavaScript, Windows Script Files, and Windows Shortcut files without triggering MoTW protections.
The campaign’s phishing emails were sent from compromised Ukrainian government and business accounts, with one notable example originating from the State Executive Service of Ukraine and targeting the Zaporizhzhia Automobile Building Plant. The attackers used homoglyph substitution, such as replacing the Latin letter “c” in a document extension with the Cyrillic equivalent, to disguise malicious files. For instance, a ZIP archive named “Документи та платежи.7z” contained an inner file named “Спiсок.doс,” where the “.doc” extension was actually a homoglyph attack. This deception tricked users into executing malicious payloads, leading to system compromise.
Security Officer Comments:
Among the organizations affected were government agencies, transportation services, manufacturers, insurance firms, and municipal councils. Many of these entities, particularly smaller government bodies, often lack robust cybersecurity defenses, making them prime targets for initial compromise before attackers pivot to larger networks. The threat actors also used previously compromised email accounts to enhance credibility, increasing the likelihood of successful phishing attempts
Suggested Corrections:
https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html
In September 2024, the Trend Micro’s Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities. This flaw allowed attackers to bypass Windows Mark-of-the-Web protections by double-archiving files, preventing security checks from detecting malicious content. Russian cybercrime groups leveraged this exploit in spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick both users and the Windows operating system into executing malware. The exploit was actively used for cyberespionage against Ukrainian government agencies and private organizations, likely in support of Russia’s ongoing cyber operations during the Russo-Ukrainian conflict.
ZDI formally disclosed the vulnerability to 7-Zip creator Igor Pavlov on October 1, 2024, leading to the release of a security patch in version 24.09 on November 30, 2024. Prior to this patch, the flaw allowed attackers to encapsulate a malicious payload within nested archives, preventing Windows Defender SmartScreen and other security mechanisms from recognizing the file as untrusted. This method enabled the execution of scripts such as JavaScript, Windows Script Files, and Windows Shortcut files without triggering MoTW protections.
The campaign’s phishing emails were sent from compromised Ukrainian government and business accounts, with one notable example originating from the State Executive Service of Ukraine and targeting the Zaporizhzhia Automobile Building Plant. The attackers used homoglyph substitution, such as replacing the Latin letter “c” in a document extension with the Cyrillic equivalent, to disguise malicious files. For instance, a ZIP archive named “Документи та платежи.7z” contained an inner file named “Спiсок.doс,” where the “.doc” extension was actually a homoglyph attack. This deception tricked users into executing malicious payloads, leading to system compromise.
Security Officer Comments:
Among the organizations affected were government agencies, transportation services, manufacturers, insurance firms, and municipal councils. Many of these entities, particularly smaller government bodies, often lack robust cybersecurity defenses, making them prime targets for initial compromise before attackers pivot to larger networks. The threat actors also used previously compromised email accounts to enhance credibility, increasing the likelihood of successful phishing attempts
Suggested Corrections:
- Ensure that all instances of 7-Zip are updated to version 24.09 or later. This version addresses the CVE-2025-0411 vulnerability.
- Implement strict email security measures, including the use of email filtering and anti-spam technologies to detect and block spear-phishing attacks.
- Train employees to recognize and report phishing attempts. Regularly update them on the latest phishing tactics, including homoglyph attacks on files and filetypes, as discussed in this entry.
- Educate users on zero-day and n-day vulnerabilities and their role in preventing their exploitation.
- Educate users on the importance of MoTW and its role in preventing the automatic execution of potentially harmful scripts or applications.
- Disable the automatic execution of files from untrusted sources and configure systems to prompt users for verification before opening such files.
- ·Implement domain filtering and monitoring to detect and block homoglyph-based phishing attacks.
- Use URL filtering to block access to known malicious domains and regularly update blacklists with newly identified threat domains.
https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html