Exploited 7-Zip MotW Bypass Leads to Zero-Day Attacks Against Ukraine

Since September 2024, Russian hackers have been using an exploit of 7-Zip vulnerability to bypass the Windows security feature known as the Mark of the Web (MotW). This vulnerability has been used in SmokeLoader malware campaigns, particularly targeting the Ukrainian government and private organizations within the country.

What is Mark of the Web (MotW)?

The Mark of the Web (MotW) is a security feature in Microsoft Windows that marks files downloaded from the Internet as potentially unsafe. When a file is downloaded, Windows attaches a special tag to it using the Alternate Data Stream (ADS) feature of the NTFS filesystem. This tag warns users when they attempt to open the file, alerting them that it could be harmful.

MotW prevents user activities like allowing Microsoft Office applications to run Macros on certain activities, only on permission by users. It safeguards against attacks when it notifies and raises the alarms to users against dangers associated with opening files.

How is MotW Bypassed in Attacks?

Attackers exploited the Mark of the Web (MotW) bypass vulnerability in 7-Zip through a technique involving nested archives. Here’s how they did it:

• Double Archiving: Attackers created an archive (e.g., a ZIP file) and then placed this archive inside another archive. This double-archived file was designed to strip the MotW tag from the inner archive.

• Hiding Malicious Content: The malicious payload was placed within the inner archive. When extracted, the files appeared safe and were not flagged by Windows security features.

• Phishing Campaigns: These double-archived files were distributed through phishing emails, often disguised as legitimate documents or files.

• Executing Malicious Code: When users extracted and opened the files, the hidden malicious code executed without any warnings from Windows, allowing the attackers to deploy malware such as SmokeLoader.

This method allowed attackers to bypass security checks and deliver their malware to targeted systems undetected, particularly focusing on the Ukrainian government and private organizations.

Based on our research, the following Ukrainian government entities and organizations have been directly targeted or affected by this campaign:

1. State Executive Service of Ukraine (SES) – Ministry of Justice.
2. Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) – Automobile, bus, and truck manufacturer.
3. Kyivpastrans – Kyiv Public Transportation Service.
4. SEA Company – Appliances, electrical equipment, and electronics manufacturer.
5. Verkhovyna District State Administration – Ivano-Frankivsk oblast administration.
6. VUSA – Insurance company.
7. Dnipro City Regional Pharmacy – Regional pharmacy.
8. Kyivvodokanal – Kyiv Water Supply Company.
9. Zalishchyky City Council – City council

These organizations have been significantly impacted by the zero-day exploit, highlighting the urgent need for enhanced cybersecurity measures.

Potential Indicators of Compromises (IOCs):

84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412
888f68917f9250a0936fd66ea46b6c510d0f6a0ca351ee62774dd14268fe5420
61d636ffeb4c3c4190157b9621b9e8c44c0138b3ff4b3f78d5bc25800fc7d6a8
554d9ddd6fd1ccb15d7686c8badb8653323c71884c7f20efb19b56324ff34fc1
cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c
d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21
5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34
62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543
8ee225bdd38cf6fd014a16beb9e33a0650147a9b7ea2104afe2f47c01bd1db0b
915b73a57aaf759fbd5352d79656e1b697545e6c9d953ab05aacf61ed4f6e397
a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2
fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144

In the upcoming blog, we will provide a technical analysis of this vulnerability.

Stay tuned and stay vigilant!