In a newly identified cyberattack campaign, hackers have been exploiting a zero-day vulnerability (CVE-2025-0411) in the widely used file compression tool 7-Zip to deploy SmokeLoader malware.
The campaign, which appears to be part of a larger cyberespionage operation, is targeting Ukrainian government and business entities.
This attack leverages spear-phishing emails and sophisticated homoglyph techniques to bypass security protocols and create a deceptive path for deploying malware.
Exploiting Weakness in 7-Zip’s Mark-of-the-Web Mechanism
The vulnerability in question arises from 7-Zip’s failure to propagate Windows’ Mark-of-the-Web (MoTW) protections to files within double-archived structures.
MoTW is integral for preventing the automatic execution of files from untrusted sources, as it signals Windows to conduct additional security checks.
The flaw in 7-Zip allowed attackers to embed malicious scripts or executables within nested archives that bypass these critical security measures. Versions prior to 24.09 of 7-Zip remained susceptible to this exploit.
Cybercriminals, likely linked to Russian threat groups, initiated the campaign in September 2024, embedding the malicious files in spear-phishing emails sent from compromised Ukrainian accounts.
These emails were targeted at various organizations, including governmental offices and manufacturers.
The attackers relied on homoglyph techniques using Cyrillic characters resembling Latin ones to disguise malicious scripts as legitimate file types like .doc and .pdf, further luring unsuspecting users into executing harmful payloads.
SmokeLoader Malware Deployment
Once the nested files were extracted and executed, the SmokeLoader malware was deployed.
SmokeLoader, a notorious malware loader, facilitates the delivery of secondary payloads such as ransomware and data stealers.
This malware has been associated with sophisticated cybercrime groups and advanced persistent threats (APTs), reinforcing its capability to evade detection and cause widespread disruption.
The flaw was first reported by the Trend Micro Zero Day Initiative (ZDI) team in September 2024, leading to a patch released by 7-Zip on November 30, 2024, with version 24.09.
However, during the unprotected period, several organizations were compromised in what is believed to be a targeted effort in the ongoing geopolitical cyber conflict between Russia and Ukraine.
Organizations are urged to update 7-Zip to the latest patched version immediately.
Additional mitigation strategies include implementing robust email filtering tools, training employees to recognize homoglyph-based phishing attacks, and disabling the automatic execution of files from untrusted sources.
Enhanced endpoint security measures and URL filtering to block suspicious domains are also recommended.
The combination of exploiting a zero-day vulnerability with homoglyph-based deception represents a significant escalation in the complexity of cyberattacks.
As cybercriminals refine their methods, particularly in the context of geopolitical conflicts, organizations must adopt proactive cybersecurity measures to safeguard against emerging threats.
.){kind=link}