A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.
According to Trend Micro researchers, the flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government and private organizations in the country.
The Mark of the Web is a Windows security feature designed to warn users that the file they're about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim's machine without a warning.
When downloading documents and executables from the web or received as an email attachment, Windows adds a special 'Zone.Id' alternate data stream called the
Mark-of-the-Web (MoTW) to the file.
When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file. Similarly, when opening a document in Word or Excel with a MoTW flag, Microsoft Office will generate additional warnings and turn off macros.
