7-Zip: Mark-of-the-Web flaw was abused by attackers
The recently reported mark-of-the-web vulnerability in 7-Zip has been exploited by attackers in the wild to smuggle malicious code.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
About two weeks ago, a vulnerability was disclosed in 7-Zip that affects the Mark-of-the-Web (MotW) protection, i.e. the execution prevention of files downloaded from the Internet. Now Trend Micro discusses details of the vulnerability and points out that it has been abused in the wild to deliver malicious code to victims.
An in-depth analysis by Trend Micro's Zero-Day Initiative team discusses the CVE-2025-0411 vulnerability in more detail than was previously the case. MotW equips files downloaded from the network with an NTFS Alternate Data Stream (ADS) with the name "Zone.Identifier", in which the text "ZoneId=3" is embedded. This stands for "untrusted zone", such as the Internet, as the origin. Windows also checks such files with Microsoft Defender Smartscreen, for example. By default, Windows does not execute files marked in this way without prompting, thus preventing the automatic launch of malicious code, for example.
Vulnerability: Double archive
Before version 24.09, 7-Zip did not correctly pass on the MotW marker when packing one archive into another – This happens regardless of the archive format used. Attackers can abuse this to create archives that contain malicious scripts or binary files that are not provided with the MotW marker. This makes Windows users vulnerable to attacks, as such content can be executed without further warning. Protection against malicious documents in Microsoft Office is also based on this.
Videos by heise
The ZDI team observed the abuse of this vulnerability in the wild on September 25. Presumably Russian criminal gangs used it to attack the Ukrainian government and organizations in a SmokeLoader malware campaign. The investigation revealed that emails originated from Ukrainian government and corporate accounts and targeted municipal organizations and businesses.
One example email listed originated from an agency under the Ukrainian Ministry of Internal Affairs called the State Executive Service of Ukraine (SES). It was sent to the helpdesk of one of Ukraine's largest car, truck, and bus manufacturers, Zaporizhzhia Automobile Building Plant (PrJSC ZAZ)). In a manipulated archive, the attackers misused similar-looking characters (homoglyphs) to disguise a file as a Word document in the inner ZIP file of the "duplicate" archive. In the malware campaign, they primarily exploited the similarity between the Cyrillic character "Es" and the Latin character "C".
By disguising it as a .doc file, recipients are more likely to unzip the file, Trend Micro explains, which results in it not receiving a MotW marker due to the 7-Zip gap. As a result, JavaScript, Windows script files and Windows shortcuts can be executed. In this way, the attackers then delivered the Smokeloader malware to victims who did not trigger any warning mechanisms during execution.
Anyone using 7-Zip should update to version 24.09 or later to fix this vulnerability. As 7-Zip does not have an integrated update mechanism, it is necessary to visit the 7-Zip website, download the installation program and install it manually.
(dmk)
