Security News 7-Zip MotW bypass exploited in zero-day attacks against Ukraine

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,601
Content source
https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-in-zero-day-attacks-against-ukraine/
A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.

According to Trend Micro researchers, the flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government and private organizations in the country.

The Mark of the Web is a Windows security feature designed to warn users that the file they're about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim's machine without a warning.

When downloading documents and executables from the web or received as an email attachment, Windows adds a special 'Zone.Id' alternate data stream called the Mark-of-the-Web (MoTW) to the file.

When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file. Similarly, when opening a document in Word or Excel with a MoTW flag, Microsoft Office will generate additional warnings and turn off macros.
Click to expand...
www.bleepingcomputer.com

7-Zip MotW bypass exploited in zero-day attacks against Ukraine

A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: Andy Ful, Zartarra and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,774
Some precautions to use 7-Zip with MotW support:
  1. People who installed 7-Zip before 2023 should check if MotW support is enabled because earlier versions did not support MotW, and the update did not enable MotW (it must be enabled manually).
  2. The developer patched the MotW exploit in version 24.09, released on November 30. It is necessary to download and install this (or newer) version because 7-Zip does not auto-update.
 
  • +Reputation
Reactions: simmerskool and Gandalf_The_Grey

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Hundred Points
Security News 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
Replies
0
Views
409
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News New attack uses MSC files and Windows XSS flaw to breach networks
Replies
1
Views
3,080
Security News
NoVirusThanks
NoVirusThanks
Brownie2019
    • Like
Security News New Windows Zero-Day Exploited by Chinese APT: Security Firm
Replies
0
Views
277
Security News
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top