Recently patched security vulnerabilities of the 7-Zip Archibar Tools have been used in the wild to provide smoked loader malware.
With a defect, CVE-2025-0411 (CVSS Score: 7.0), remote attackers can avoid Mark of the Web (MOTW) protection with the current user’s context and execute any code. In November 2024, it was addressed by version 24.09 by 7-Zip.
“Vulnerability was actively used by Russian cyber criminal groups through the Spear Fishing Campaign. Using a homoglyph attack, executing the document extension and trick users and Windows operating systems to execute a malicious file. Masu”
The CVE-2025-0411 is likely to have been weapons as a part of the cyber spy activity set in the background of the ongoing Russo-UKRainian dispute to target Ukraine’s government and non-governmental organizations. It is.
Motw is a security feature implemented by Microsoft on Windows to prevent automatic execution of files downloaded from the Internet without performing further checks via Microsoft Defender SmartScreen.
CVE-2025-0411 7-Zip, that is, bypassing Motw by creating an archive, creating an archive of the archive, and creating an archive to hide malicious payloads.
“The root cause of CVE-2025-0411 is that before the version 24.09, 7-zip did not properly propagate MOTW protection in the content of the double capsule archive,” said GIRNUS. “This allows threat actors to create an archive that contains malicious scripts or executable files that will not be protected by MOTW, and Windows users will be vulnerable to attacks.”
The attack on the defect as a zero day was first detected in the wild on September 25, 2024, and the infected sequence was connected to the Lauder malware, SMOKELOADER, which has been repeatedly used to target Ukraine.
The starting point is a phishing email containing a specially created archive file. This file uses a homoglyph attack to pass the inner ZIP archive as a Microsoft Word document file, and triggers vulnerability effectively.
The phishing messages for each trend have been sent to both local government organizations and businesses from ukraine’s rule and business accounts to both local government organizations and businesses, suggesting previous compromises.
“The use of these compromised email accounts will give the target emails to the target emails and operate potential victims to trust content and their senders,” GIRNUS says. I pointed out.
This approach leads to the execution of the Internet shortcut (.URL) file in the ZIP archive. This refers to an attacker control server that hosts another ZIP file. The newly downloaded ZIP contains a SMOKELOADER executable file that impersonates a PDF document.
At least nine Ukrainian government agencies and other organizations have been evaluated as being affected by campaigns, such as the Ministry of Justice, the Kiev Public Transportation Service, the Kiev Water Supply Company, and the City Council.
In light of the active utilization of CVE-2025-0411, the user updates the installation to the latest version, implements the e-mail filtering function, blocks the phishing attempt, and disables files from unreliable sources. I recommend that.
“One of the interesting take -outs that was targeted and influenced by an affected organization is that local government agencies are small,” GIRNUS said.
“These organizations are often exposed to intense cyber pressure, but are often overlooked, are not familiar with cyber, and lack resources for the comprehensive cyber strategies that large government organizations have. These tissues are a valuable pivot point for threat.
Source link
