close
close

7-Zip Motw bypass exploited in zero-day attacks against Ukraine

7-Zip Motw bypass exploited in zero-day attacks against Ukraine

7-Zip Motw bypass exploited in zero-day attacks against Ukraine

Vulnerability to 7 ZIP allowing attackers to bypass the brand of the Windows Web security function (MOTW) has been operated by Russian pirates as a zero day since September 2024.

According to Trend Micro Researchers, the flaw was used in the malware campaigns of Smokeloader targeting the Ukrainian government and private organizations in the country.

The web brand is a Windows safety feature designed to warn users that the file they are about to execute come from unreliable sources, requesting a confirmation step via an additional prompt. Motw bypass allows malicious files to run on the victim’s machine without warning.

When downloading documents and executables from the web or received as an e-mail attachment, Windows adds an alternative “zone.id” data flow called the Canvas (Motw) in the file.

When you try to open a downloaded file, Windows will check if a Motw exists and, in the poster, display additional warnings from the user, asking if they are sure they wish to run the file. Similarly, when opening a document in Word or Excel with a Motw flag, Microsoft Office will generate additional warnings and deactivate macros.

Motw warnings in Windows
Motw warnings in Windows
Source: BleepingCompute

As the brand of web security features prevents dangerous files from executing automatically, threat actors commonly attempt to Find Motw bypass So their files run and execute automatically.

For years, cybersecurity researchers Add the requested 7-zip addition for the web brand, but it was not until 2022 that The management of the functionality was finally added.

Motw bypass exploited in attacks

Zero Day initiative team (ZDI) from Trend Micro Discover the defectNow followed as CVE-2025-0411, on September 25, 2024, observing it during attacks by actors in the Russian threat.

The pirates operated the CVE-2025-0411 using archived double files (an archive within an archive) to exploit a lack of heredity of the Motw flag, resulting in a malicious file execution without triggering warnings.

The specially designed archive files have been sent to targets via phishing emails from Ukrainian government accounts compromised to bypass security filters and seem legitimate.

Example of phishing email used in the countryside
Example of phishing email used in the countryside
Source: Trend Micro

Using homoglyph techniques, the attackers hid their useful charges in 7-ZIP files, which made them appear harmless to Word or PDF documents.

Although the opening of the parent archive propagates the Motw flag, the CVE-2025-0411 flaw made the flag not spread to the content of the interior archive, allowing scripts and malicious executables the launch directly.

The real content of masked files
The real content of masked files
Source: Trend Micro

This last step triggers the Smokeloader payload, a malicious dropper used in the past to install information thieves, Trojan horses, ransomware or the creation of baths for persistent access.

Trend Micro says that these attacks had an impact on the following organizations:

  • Ukraine Executive Service of State (SSE) – Ministry of Justice
  • Zaporizhzhia (Prjsc Zaz) – Manufacturer of automotive, bus and trucks
  • Kyivpastrans – Kyiv public transport service
  • Shipping company – household appliances, manufacturer of electrical equipment and electronics
  • Verkhovyna district administration – Oblast administration of Ivano-Frankivsk
  • Saw – Insurance company
  • Regional pharmacy of the city of Dnipro – Regional pharmacy
  • Kyivodokanal – Kyiv Water Supply Company
  • Zalishchyky municipal council – Municipal Council

Update 7-Zip

Although the discovery of the zero day came in September, it took Trend Micro until October 1, 2024 to share a feat of proof of concept of work (POC) with the developers of 7-Zip.

The latter addressed the risks via a Corrective implemented in version 24.09Posted on November 30, 2024. However, as 7-ZIP does not include an automatic functionality when updated, it is common for 7-ZIP users to perform obsolete versions.

Therefore, users are strongly recommended to download the latest version to ensure that they are protected from this vulnerability.