info@thehackernews.com (The Hacker News)
2025-02-04 07:28:00
thehackernews.com
A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware.
The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.
“The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files,” Trend Micro security researcher Peter Girnus said.
It’s suspected that CVE-2025-0411 was likely weaponized to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo-Ukrainian conflict.
MotW is a security feature implemented by Microsoft in Windows to prevent the automatic execution of files downloaded from the internet without performing further checks through Microsoft Defender SmartScreen.
CVE-2025-0411 bypasses MotW by double archiving contents using 7-Zip, i.e, creating an archive and then an archive of the archive to conceal the malicious payloads.
“The root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MotW protections to the content of double-encapsulated archives,” Girnus explained. “This allows threat actors to craft archives containing malicious scripts or executables that will not receive MotW protections, leaving Windows users vulnerable to attacks.”
Attacks leveraging the flaw as a zero-day were first detected in the wild on September 25, 2024, with the infection sequences leading to SmokeLoader, a loader malware that has been repeatedly used to target Ukraine.
The starting point is a phishing email that contains a specially-crafted archive file that, in turn, employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability.
The phishing messages, per Trend Micro, were sent from email addresses associated with Ukrainian governing bodies and business accounts to both municipal organizations and businesses, suggesting prior compromise.
“The use of these compromised email accounts lend an air of authenticity to the emails sent to targets, manipulating potential victims into trusting the content and their senders,” Girnus pointed out.
This approach leads to the execution of an internet shortcut (.URL) file present within the ZIP archive, which points to an attacker-controlled server hosting another ZIP file. The newly downloaded ZIP contains the SmokeLoader executable that’s disguised as a PDF document.
At least nine Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council.
In light of the active exploitation of CVE-2025-0411, users are recommended to update their installations to the latest version, implement email filtering features to block phishing attempts, and disable the execution of files from untrusted sources.
“One interesting takeaway we noticed in the organizations targeted and affected in this campaign is smaller local government bodies,” Girnus said.
“These organizations are often under intense cyber pressure yet are often overlooked, less cyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations have. These smaller organizations can be valuable pivot points by threat actors to pivot to larger government organizations.”
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.